Git Iac Scanning
Introduction
Sysdig has introduced Git Integrations as part of its Infrastructure as Code (IaC) solution. At this time, the integrations can be used to scan incoming Pull Requests (PRs) for security violations based on predefined policies. The results of the scanning evaluation are presented in the PR itself. If passed, the user can merge; if failed the user cannot merge. Information provided in the PR also targets the problem area to assist the user in remediation.
See the Iac Supportability Matrix to review the resources and file types currently supported.
Benefits and Use Cases
Infrastructure as Code helps move security protocols and standards down into the development pipeline, highlighting and resolving potential issues as early as possible in development process. This benefits many players within the organization:
- Security and compliance personnel see reductions in violations and security risks
- DevOps managers can streamline processes and secure the pipeline
- Developers can detect issues early and have clear guidance on how remediate them with minimal effort.
Process Overview
Sysdig currently supports Github, Bitbucket, GitLab, and Azure DevOps integrations.
Configure the Integration
An administrator can configure an integration by opening the Git Integrations
page, located inside the Integrations
section. From there, you can setup Git integrations for the supported providers. Once the Git integration is ready, add Git Sources which define the parts of the source to protect.
- The
repositories
(selected from the list) - The
folders
within each repo (or all folders using/
) - The
branch pattern
(for pull request evaluations only)
Run Scan and Check Results
When an integration is configured and a scan is run, the results are presented in the Pull Request Check Report in, e.g., GitHub.
Setting up a Git Integration
Log in to Sysdig Secure as administrator user and open
Integrations
from the menu.Select
Git Integrations
.Select the relevant integration type from the drop-down list and begin the configuration, depending on the provider type.
Github
This configuration toggles between the Sysdig Secure interface and the Github interface.
From the Git Integrations List page, choose Github
and:
Enter an
Integration
Name
and clickComplete in Github
.The Github interface opens in a new tab.
Sign in to Github and select where to install the
Sysdig Github
app. ClickConfigure
.Select
All Repositories
or define chosen repos and clickInstall
.You will be redirected to the Integration page in Sysdig Secure when installation is complete. The Integration Status should show
Active
. Continue with Validation and Adding Git Sources.
Bitbucket
Prerequisites
- Open your Bitbucket organization and create a designated account for Sysdig.
- Configure the account’s access for the relevant workspace.
- Create a new app password for the account:
- Navigate to
Personal Settings > App passwords
, then clickCreate app password
. - Assign the following permissions:
- Account:
Read
- Repositories:
Read, Write, Admin
- Pull requests:
Read, Write
- Webhooks:
Read and write
- Click
Create
.
- Navigate to
Add Bitbucket Integration
In Sysdig, navigate to the Git Integration screen.
Click
Add Git Integration
and chooseBitbucket
.Fill the details including the created app password from the prerequisites step. You can find the Workspace ID in the Bitbucket workspace settings:
Click Add to complete.
You will be redirected to the Integration page in Sysdig Secure when installation is complete. The Integration Status should show
Active
. Continue with Validation and Adding Git Sources.
GitLab
Prerequisites in GitLab UI:
- Log in to your GitLab organization and create a designated account for Sysdig Secure
- Configure the account’s access for
Projects
- Create a unique personal access token, setting a:
- Unique name for the token
- Token expiration date
- The following scopes for the token:
api
read_repository
write_repository
- Copy the token value
Add the Integration
From the Git Integrations List page, choose GitLab and:
Enter an Integration Name and the Token from the prerequisite step.
Click
Test Connection
, then clickAdd
. You will be redirected to the Integration page in Sysdig Secure when installation is complete. The Integration Status should showActive
. Continue with Validation and Adding Git Sources.
Azure DevOps
Prerequisites in Azure DevOps UI
Log in to your Azure DevOps organization and create a designated account for Sysdig Secure for cloud
Account Access: Configure the account’s access for
Repositories
andProjects
Account Subscription Permissions: Assign
View
,Edit
, andDelete
subscriptions permissions to the account.HINT: To grant the required subscription access usiing the Azure CLI:
- ServiceHooks Namespace: Run
az devops security permission namespace list --output table
and record the ServiceHooks namespace ID - PublisherSecurity Token: Run
az devops security permission update --allow-bit 7 --namespace-id {{ServiceHooks namespace Id}} --subject {{accountUserEmail}} --token PublisherSecurity --output table
- ServiceHooks Namespace: Run
- Personal Access Token: Retrieve a unique personal access token
- Record the token value
- Token Scope: Set to
Custom Defined
- Code Scope: Choose
Read
,Write
, andStatus
permissions - Extensions Scope: Choose
Read
permission - For additional help, see the Azure DevOps documentation
Add the Integration
From the Git Integrations List page, choose Azure DevOps
and:
Enter an
Integration Name
,Organization Name
, and thePersonal Access Token
from the prerequisite step.Click
Test Connection
, then clickAdd
. You will be redirected to the Integration page in Sysdig Secure when installation is complete. The Integration Status should showActive
. Continue with Validation and Adding Git Sources.
Validate the Git Integration
After adding a Git Integration, you will be redirected to the Git integration configuration page.
All configured integrations are also visible in the Integrations
-> Git Integrations
page. Clicking on an entry will open the configuration page for that integration.
The status and details of the Git Integration are displayed both at the top of the configuration page and in the list.
Integration Status
You can review the Status
field as a column on the Integrations List page or in the configuration page. It shows any issues in the connection between Sysdig Secure and the Sysdig Git provider:
- Active: Everything is working as expected
- Not Installed (Only Github): The Sysdig Github App is not installed
- Suspended (Only Github): The Sysdig Github App is suspended and needs to be resumed
Last Scanned Date
As soon as the integration is fully configured and active, a scan will be run. The Last Scanned field is updated after every scan (every 24 hours by default).
Additional Options
From the Integrations List page, you can use the burger (3-dot) menu for additional options on an integration.
Manage Integration: Open the Git integration configuration page, same as clicking on the row in the list.
Start Code Scan: Use this option to manually trigger a scan before the default 24-hour time is reached.
Configure in Github (Github Only): open the Sysdig application configuration page in Github.
Delete: This action deletes the Git integration and all the associated sources as well.
Adding Git Sources
Git Sources allow you to define the repositories, folders and branch patterns to scan within. First, you need to connect with a Git Provider as described above. Then, you can add Git Sources from the Git Integration configuration page:
Click
Add Sources
on the Git Integration configuration page .Provide a
Name
for the source. The name will help you identify this source, and can be anything likeProd us-east cloud resources
Choose a
Repository
and one or moreFolder(s)
to be scanned. The system automatically checks that valid folder names have been entered.Define the
Branches
where Sysdig should run a Pull Request evaluation check. You need to provide a regular expression, and Sysdig will run the check on every branch having name that matches the regular expression. You can use the expression.*
to check PRs on all branches or use a fixed name likemain
.Click
Add Source
. The new source will be displayed in the list.Repeat from step 1 to add as many sources as needed and click
Save
when done.
Pull Request Policy Evaluation
For the branches defined in Git Sources, Sysdig will run a Pull Request Policy Evaluation check. The check scans the Infrastructure-as-Code files in the pull request and identifies violations against the predefined policies.
The result of the check contain the list of violations, their severity and the failed resources list per file.
Example output for GitHub:
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.