HuskyCI : Performing Security Tests Inside Your CI

HuskyCI is an open source tool that orchestrates security tests and centralizes all results into a database for further analysis and metrics. It can perform static security analysis in Python (Bandit and Safety), Ruby (Brakeman), JavaScript (Npm Audit and Yarn Audit), Golang (Gosec), and Java (SpotBugs plus Find Sec Bugs). It can also audit repositories for secrets like AWS Secret Keys, Private SSH Keys, and many others using GitLeaks.

How does it work?

Developers can set up a new stage into their CI pipelines to check for vulnerabilities:

Also Read – Automatic API Attack Tool 2019

Installation

MongoDB

Set up a MongoDB using your desired OS/configuration (preferably secure).

Docker API (CentOS instructions)

Install docker API:

  • Install docker-engine:

yum install docker-engine

  • Create a docker service folder:

mkdir /etc/systemd/system/docker.service.d

  • Set these configuration into override.conf:

vim /etc/systemd/system/docker.service.d/override.conf

  • Add this content to override.conf:

[Service]ExecStart=ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376

  • Reload daemon:

systemctl daemon-reload

  • Restart docker:

systemctl restart docker.service

  • Test docker API locally:

curl localhost:2376/v1.24/version

Securing your Docker API (recommended):

  • Create certificates folder:

mkdir /data/certs && cd /data/certs

Download create-certs.sh script from it:

wget https://raw.githubusercontent.com/globocom/huskyCI/master/deployments/scripts/create-certs.sh

Set environment variables with certificate’s information:

echo ‘export CERT_PASSPHRASE=”mypassword$RANDOM”‘ > .env
echo ‘export CERT_DOCKER_API_HOST=”address.to.dockerapi.host”‘ >> .env
echo ‘export CERT_HUSKYCI_HOST=”address.to.huskyci.host”‘ >> .env

. .env

  • Create CA certificate:

./create-certs.sh -m ca -pw $CERT_PASSPHRASE -t . -e 900

  • Create docker API server certificate:

./create-certs.sh -m server -h $CERT_DOCKER_API_HOST -pw $CERT_PASSPHRASE -t . -e 365

  • Create docker API client certificate:

./create-certs.sh -m client -h $CERT_HUSKYCI_HOST -pw $CERT_PASSPHRASE -t . -e 365

  • Update override.conf configuration:

vim /etc/systemd/system/docker.service.d/override.conf

  • Add this new content to override.conf:

[Service]ExecStart=/usr/bin/dockerd –tlsverify –tlscacert=/data/certs/ca.pem –tlscert=/data/certs/server-cert.pem –tlskey=/data/certs/server-key.pem -H fd:// -H tcp://0.0.0.0:2376

  • Reload daemon:

systemctl daemon-reload

  • Restart docker:

systemctl restart docker.service

  • Test secure docker API locally:

curl -k https://localhost:2376/v1.24/version –cert /data/certs/client-cert.pem –key /data/certs/client-key.pem –cacert /data/certs/ca.pem

You need now to save ca.pem, client-key.pem and client-cert.pem to be used in its host so it can connect to docker API securely! 🔒

Pulling images

After setting up the Docker API, you can pull huskyCI images into this host or let it do this automatically when receiving first requests (may take some time). If you prefer the first strategy, use the following commands:

docker pull huskyci/enry
docker pull huskyci/bandit
docker pull huskyci/safety
docker pull huskyci/brakeman
docker pull huskyci/gosec
docker pull huskyci/spotbugs
docker pull huskyci/npmaudit
docker pull huskyci/yarnaudit
docker pull huskyci/gitauthors
docker pull huskyci/gitleaks

API (tsuru PaaS instructions)

  • Go to tool folder:

cd $GOPATH/src/github.com/globocom/huskyCI

  • Copy certificates generated into api folder:

cp $MYCERTFOLDER/{ca.pem,client-key.pem,client-cert.pem} api/

Rename client-key.pem and client-cert.pem so it can read the right files when deploying:

mv client-key.pem key.pem
mv client-cert.pem cert.pem

  • Build it:

make build

  • Create a new Tsuru app:

tsuru app-create huskyCI go

tsuru env-set MONGO_HOST=urlto.mongo.com -p

If you want it to use HTTPS, generate api-tls-cert.pem and api-tls-key.pem before deploying. Also, you should set HUSKY_API_ENABLE_HTTPS environment variable to true.

  • If you’ve decided to use the Docker API secure method mentioned above, you need to set these environment variables with the commands below:

tsuru env-set -p -a <my-app’s-name> HUSKYCI_DOCKERAPI_CERT_FILE_VALUE=”$(cat /path/to/my/file)”
tsuru env-set -p -a <my-app’s-name> HUSKYCI_DOCKERAPI_CERT_KEY_VALUE =”$(cat /path/to/my/file)”
tsuru env-set -p -a <my-app’s-name> HUSKYCI_DOCKERAPI_CERT_CA_VALUE =”$(cat /path/to/my/file)”

  • Deploy it in tsuru (HTTP):

tsuru app-deploy -a huskyCI api/huskyci api/config.yaml Procfile

  • Deploy it in Tsuru (HTTPS enabled):

tsuru env-set -p -a <my-app’s-name> HUSKYCI_DOCKERAPI_API_TLS_CERT_VALUE =”$(cat /path/to/my/file)”
tsuru env-set -p -a <my-app’s-name> HUSKYCI_DOCKERAPI_API_TLS_KEY_VALUE =”$(cat /path/to/my/file)”
tsuru app-deploy -a huskyCI api/huskyci api/config.yaml Procfile

Client (tsuru PaaS instructions)

  • Build client locally (Linux binary):

make build-client-linux

  • Create a static Tsuru app:

tsuru app-create huskyCI-client static

  • Deploy it client in Tsuru:

tsuru app-deploy -a huskyCI-client huskyci-client

Developer’s CI

Ask kindly your development team to add a new stage into their project’s CI (.gitlab-ci.yml example):

stages:
– huskyCI
huskyCI:
stage: huskyCI
variables:
HUSKYCI_CLIENT_URL: http://urlto.huskyci-client
HUSKYCI_CLIENT_API_ADDR: http://urlto.huskyci-API
HUSKYCI_CLIENT_REPO_URL: gitlab@gitlab.YOURORG.com:$CI_PROJECT_PATH.git
HUSKYCI_CLIENT_REPO_BRANCH: $CI_COMMIT_REF_NAME
HUSKYCI_CLIENT_API_USE_HTTPS: “false”
script:
– wget $HUSKYCI_CLIENT_URL/huskyci-client
– chmod +x huskyci-client
– ./huskyci-client

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

4 days ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

4 days ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

6 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

1 week ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

2 weeks ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

2 weeks ago