Travis CI

Travis CI is a Continuous Integration / Continuous Delivery (CI/CD) platform that enables developers to quickly and easily build, test and deploy code. The easy-of-use and flexibility offered by Travis CI is core to software development as part of a modern DevOps toolchain. Travis CI supports the development process by automatically building and testing code changes in smaller increments, providing immediate feedback on the success of the change.

Depending on the use case, you can apply multiple options for running scans from your CI pipeline.

To get started with Travis CI using Github

  1. Go to Travis CI and Sign up with Github.
  2. Click on your profile picture on top right corner, click Settings and then Activate green button. After that choose GitHub repositories you want to use with Travis CI or select all repositories.
  3. Add a .travis.yml file to your repository to tell Travis CI what to do.

Configure and build a scan

Prerequisites:

  1. Make a valid organization or personal API key (NEXPLOIT_TOKEN) with all or following scopes: bot, scans : run, scans : read, scans : stop.

  2. Create NEXPLOIT_TOKEN variable on your Travis CI machine:
    More options > Settings > Add Environment Variables.

14621462

Configure a .travis.yml file:

15141514

Add the .travis.yml file to your repository branch and commit to trigger a Travis CI build:

14651465

The scan is configured to stop when a medium issue is detected.

Monitoring the scan progress and checking issues:

18931893

Configure and build a scan with the repeater

Prerequisites:

  1. Make a valid organization or personal API key (NEXPLOIT_TOKEN) with all or following scopes: bot, scans : run, scans : read, scans : stop.

  2. Make the Repeater with a valid ID “REPEATER”.

  3. Create the NEXPLOIT_TOKEN and REPEATER variable on your Travis CI machine: More options > Settings > Add Environment Variables.

15221522

Configure the .docker-compose.yml file.
Add a .docker-compose.yml file to your repository on another branch and commit the file:

15241524

Configure .travis.yml file:

15151515

Add the .travis.yml file to your same repository branch and commit to trigger a Travis CI build:

14711471

Monitoring the scan progress and checking issues:

18801880

The scan is configured to stop when a medium issue is detected.

Use Cases

Scanning a Target in a Private Environment

You can run fast scans of the application which is currently under development within your pipeline. Bright allows you to follow the fail-fast principle by interrupting a scan automatically at the first detected vulnerability. Using this option, you are able to quickly and timely reveal and fix the security issues at the build level without delaying the whole development process.

As the scan target is closed within your pipeline, the Bright engine cannot access it directly from the cloud. In this case, you can use a Repeater which serves as a request-proxy between Bright and a scan target inside your private environment. You should first register (create) the Repeater in the Bright app, and then connect it to your pipeline using the generated Repeater ID.

To run scans directly from your pipeline, you need to install the Bright CLI. It provides an easy-to-use interface and multiple commands you can use in your Travis flow.

You can either run the Bright CLI with the Repeater using the NPM or by installing the Bright's Docker image inside your pipeline.

Find the examples here:

 

 

Scanning a Target in a Public Environment

Upon a release of a new build, you can run a complete scan of the target in the production or public pre-production environment. In this case, long scans will not interfere with the development process as compared to scanning in the private environment.

Depending on the access to the deployed target, you can run a scan using multiple options.

  • If the scan target is accessible from the Internet:

    Directly from the Bright app
    From your pipeline using the Bright CLI (NPM implementation). Find the example here.

 

18271827

 

  • If the scan target has a private access (or if you want to scan specific local microservices), you can use a Repeater (scan proxy) to ensure secure communication between Bright and the scan target. In this case, you can only control scanning via the Bright CLI, which can be installed using either the NPM or the Docker image.

 

 

Find the examples here:


Did this page help you?