*In-works
- Author: Pedric Kng
- Updated: 09 Oct 2020
AWS Code Pipeline offers integration through CodeBuild stages, this tutorial will illustrate how to integrated Checkmarx security scans (CxSAST, CxSCA and CxIAST) in the pipeline.
The tutorial workflow will be broken as below;
Create a pipeline with various CodeBuild stages
- Continuous Integration (CI):
- Stage 'Source':
- Pull the source code from Git repository
- Stage 'Build Application':
- Build the application
- Execute SAST & SCA
- Send SAST & SCA tickets to Jira (CxFlow)
- Email alert on SAST & SCA scan completion via cloud watch on pipeline
- Stage 'Build Container':
- Build the docker image with the CxIAST agent
Push the docker image into AWS ECR
- Stage 'Source':
- Continuous Deployment (CD):
- Stage 'Deploy Container':
Deployment via AWS ECS
- Stage 'Automated functional testing':
Automated functional testing for CxIAST
- Stage 'Deploy Container':
- Developer remediate via IDE
- Review the JIRA ticket as assigned
- Use IntelliJ IDE to remediate & execute private scan (validate that issue is fixed)
- Commit fixes to repository, invoke pipeline to close ticket for fix
For this tutorial, we will use the
- WebGoat Legacy Fork [1]
- Branch Feature-awscodebuild: Contains AWS CodeBuild 'buildspec.yml'
- Branch Fix_SQL_Injection_Login: With SQL injection fix
WebGoat Legacy Fork [1]