SAST Scanning via API Keys
The following steps allow organizations to automatically scan releases of their source code using existing developer tools and processes. DevOps can fully automate the SDLC by integrating our API to existing CI/CD tools such as Azure DevOps, Travis CI, Jenkins, Bitrise, fastlane, Xcode server, etc.
Note: If your organization is using Github, Bitbucket or Gitlab, we recommend using the fully-integrated Data Theorem SAST plugins, see onboarding steps from the DevSecOps page in the Data Theorem portal:
Quickstart guide
Step 1: Retrieving the SAST Scanning API key
First, you will need to retrieve/create an API Key from the Data Theorem portal, at Data Theorem
Make sure that the SAST Scanning
permission is enabled for this API Key
Step 2: Configuring an upload step in CI/CD
Most CI/CD systems (Travis CI, Bitrise, CircleCI, etc.) allow running a bash script as a step within the CI pipeline. A new step should be added at the end of your existing pipeline to request a SAST scan from Data Theorem.
This new upload step requires:
The API key retrieved in step 1 to be available in the CI system
via the DT_SAST_SCANNING_API_KEY environment variable.The name of the source code repository to be available in the CI system
via the DT_SAST_SCANNING_REPOSITORY_NAME environment variable.
The following bash script can then be used as the upload step:
#!/bin/env bash
# Fail if any commands fails
set -e
if [ -z "$DT_SAST_SCANNING_API_KEY" ]; then
echo "DT_SAST_SCANNING_API_KEY is not set!"
exit 1
fi
if [ -z "$DT_SAST_SCANNING_REPOSITORY_NAME" ]; then
echo "DT_SAST_SCANNING_REPOSITORY_NAME is not set!"
exit 1
fi
file_name="${DT_SAST_SCANNING_REPOSITORY_NAME}.bundle"
echo "Preparing for upload"
git bundle create $file_name HEAD --all
file_size=$(stat -c%s $file_name)
echo "Requesting upload URL from Data Theorem"
upload_init_response=$(curl -s -w "%{http_code}" -X POST -H "Authorization: APIKey ${DT_SAST_SCANNING_API_KEY}" -H "Content-Type: application/json" -d "{\"file_name\": \"$file_name\", \"file_size\": $file_size}" "https://api.securetheorem.com/apis/devops/v1/asset_scans/sast_scans")
http_code=${upload_init_response: -3}
response_body=${upload_init_response::-3}
# Check that http status code is 200
[ ! ${http_code} -eq 200 ] && echo ${response_body} && exit 1
upload_url=$(echo ${response_body} | jq -r ".upload_url")
if [ -z "$upload_url" ]; then
exit 1
fi
echo "Starting upload"
upload=$(curl -X PUT --data-binary "@$file_name" $upload_url)
if [ $? -ne 0 ]; then
echo "Upload Failed!"
exit 1
fi
echo "Done"
Scanning is done in the background and should take a few minutes to complete.
Log into the Data Theorem Portal at Data Theorem to view the scan results.
Step 3 (Optional): Track scan status
Data Theorem provides APIs that can check the status of the SAST scan, it can for example be used to make your CI/CD pipeline wait for the end of the scan
Sample Script:
#!/bin/env bash
# Fail if any commands fails
set -e
if [ -z "$DT_SAST_SCANNING_API_KEY" ]; then
echo "DT_SAST_SCANNING_API_KEY is not set!"
exit 1
fi
if [ -z "$DT_SAST_SCANNING_REPOSITORY_NAME" ]; then
echo "DT_SAST_SCANNING_REPOSITORY_NAME is not set!"
exit 1
fi
file_name="${DT_SAST_SCANNING_REPOSITORY_NAME}.bundle"
base_url="https://api.securetheorem.com/apis"
echo "Preparing for upload"
git bundle create $file_name HEAD --all
file_size=$(stat -c%s $file_name)
echo "Requesting upload URL from Data Theorem"
upload_init_response=$(curl -s -w "%{http_code}" -X POST -H "Authorization: APIKey ${DT_SAST_SCANNING_API_KEY}" -H "Content-Type: application/json" -d "{\"file_name\": \"$file_name\", \"file_size\": $file_size}" "{$base_url}/devops/v1/asset_scans/sast_scans")
http_code=${upload_init_response: -3}
response_body=${upload_init_response::-3}
# Check that http status code is 200
[ ! ${http_code} -eq 200 ] && echo ${response_body} && exit 1
upload_url=$(echo ${response_body} | jq -r ".upload_url")
if [ -z "$upload_url" ]; then
exit 1
fi
request_id=$(echo ${response_body} | jq -r ".request_id")
if [ -z "$upload_url" ]; then
exit 1
fi
echo "Starting upload"
upload=$(curl -X PUT --data-binary "@$file_name" $upload_url)
if [ $? -ne 0 ]; then
echo "Upload Failed!"
exit 1
fi
max_wait_seconds=600 # 10 minutes max
current_wait=0
wait_step=10
while [ "$current_wait" -lt "$max_wait_seconds" ]; do
sleep "$wait_step"
((current_wait += wait_step))
scan_response=$(curl --silent -H "Authorization: APIKey ${DT_SAST_SCANNING_API_KEY}" \
"${base_url}/devops/v1/asset_scans/sast_scans/${request_id}")
scan_status=$(echo "$scan_response" | jq -r '.status // "QUEUED"')
echo "Checking scan status: $scan_status"
if [ "$scan_status" = "FAILED" ]; then
exit 1
fi
if [ "$(echo "$scan_response" | jq -r '.results')" != "null" ]; then
echo "Scan results are available!"
echo "$(echo "$scan_response" | jq -c .)"
break
fi
done