Git Iac Scanning
Introduction
Sysdig has introduced Git Integrations as part of its Infrastructure as Code (IaC) solution. At this time, the integrations can be used to scan incoming Pull Requests (PRs) for security violations based on predefined policies. The results of the scanning evaluation are presented in the PR itself. If passed, the user can merge; if failed the user cannot merge. Information provided in the PR also targets the problem area to assist the user in remediation.
See the Iac Supportability Matrix to review the resources and file types currently supported.
Benefits and Use Cases
Infrastructure as Code helps move security protocols and standards down into the development piipeline, highlighting and resolving potential issues as early as possible in development process. This benefits many players within the organization:
- Security and compliance personnel see reductions in violations and security risks
- DevOps managers can streamline processes and secure the pipeline
- Developers can detect issues early and have clear guidance on how remediate them with minimal effort.
Process Overview
Sysdig currently supports Github, Bitbucket, GitLab, and Azure DevOps integrations.
In each case, you log in as admin
, select Git Integrations
, choose your flavor, configure it, and define which parts of the source to protect:
- The
repositories
(selected from the list) - The
folders
within each repo (or all folders using/
) - The
branches
(for pull request evaluations only)
Launching an Integration
Log in to Sysdig Secure as
admin
and choose theSettings
button in the navigation bar.Select
Git Integrations
.Select the relevant integration type from the drop-down list and begin the configuration.
Configuration Steps
Github
This configuration toggles between the Sysdig Secure interface and the Github interface.
From the Git Integrations List page, choose Github
and:
Enter an
Integration
Name
and clickComplete in Github
.The Github interface opens in a new tab.
Sign in to Github and select where to install the
Sysdig Github
app. ClickConfigure
.Select
All Repositories
or define chosen repos and clickInstall
.You will be redirected to the Integration page in Sysdig Secure when installation is complete. The Integration Status should show
Active
.Click
Add Sources
on the new integration listing.Note: It’s possible to stop here; when you come back to the List page, you can click
Configure Sources
to resume.Add
Repos
one at a time, defining theFolder(s)
to be scanned. ChooseBranches
where Sysdig should run a Pull Request evaluation check. Define the branch using a regular expression. You can use.*
to check PRs on all branches or usemain
.Click
Add Source
. Repeat as needed and clickSave
. The system automatically checks that valid folder names have been enteredReview the
Status
on the Integrations List page, which shows any issues in the connection between Sysdig Secure and the Sysdig Github application:- Active: Everything is working as expected
- Last Scanned: As soon as the integration is fully configured and active, a scan will be run. The Last Scanned field is updated after every scan (every 24 hours by default).
- Not Installed: The Sysdig Github App is not installed
- Suspended: The Sysdig Github App is suspended and needs to be resumed
See also the Additional Options.
Bitbucket
Prerequisites
- Open your Bitbucket organization and create a designated account for Sysdig.
- Configure the account’s access for the relevant workspace.
- Create a new app password for the account:
- Navigate to
Personal Settings > App passwords
, then clickCreate app password
. - Assign the following permissions:
- Account:
Read
- Repositories:
Read, Write, Admin
- Pull requests:
Read, Write
- Webhooks:
Read and write
- Click
Create
.
- Navigate to
Add Bitbucket Integration
In Sysdig, navigate to the Git Integration screen.
Click
Add Git Integration
and chooseBitbucket
.Fill the details including the created app password from the prerequisites step.
Click Add to complete. You will be redirected to the Integration page in Sysdig Secure when installation is complete. The Integration Status should show
Active
.Click
Add Sources
on the new integration listing.Add
Repos
one at a time, defining theFolder(s)
to be scanned. ChooseBranches
where Sysdig should run a Pull Request evaluation check. Define the branch using a regular expression. You can use.*
to check PRs on all branches or usemain
.Repeat as needed and click
Save
. The system automatically checks that valid folder names have been enteredReview the
Status
on the Integrations List page, which shows any issues in the connection between Sysdig Secure and the Sysdig Bitbucket application:- Active: Everything is working as expected
- Not Installed: The Sysdig Bitbucket App is not installed
- Suspended: The Sysdig Bitbucket App is suspended and needs to be resumed
See also the Additional Options.
GitLab
Prerequisites in GitLab UI:
- Log in to your GitLab organization and create a designated account for Sysdig Secure
- Configure the account’s access for
Projects
- Create a unique personal access token, setting a:
- Unique name for the token
- Token expiration date
- The following scopes for the token:
api
read_repository
write_repository
- Copy the token value
Add the Integration
From the Git Integrations List page, choose GitLab and:
Enter an Integration Name and the Token from the prerequisite step.
Click
Test Connection
, then clickAdd
. The Manage Integration page is displayed.Click
Add Sources
on the new integration listing.Add
Repos
one at a time, defining theFolder(s)
to be scanned. ChooseBranches
where Sysdig should run a Pull Request evaluation check. Define the branch using a regular expression. You can use.*
to check PRs on all branches or usemain
.The system automatically checks that valid folder names have been entered
Review the
Status
on the Integrations List page.See also the Additional Options.
Azure DevOps
Prerequisites in Azure DevOps UI
Log in to your Azure DevOps organization and create a designated account for Sysdig Secure for cloud
Account Access: Configure the account’s access for
Repositories
andProjects
Account Subscription Permissions: Assign
View
,Edit
, andDelete
subscriptions permissions to the account.HINT: To grant the required subscription access usiing the Azure CLI:
- ServiceHooks Namespace: Run
az devops security permission namespace list --output table
and record the ServiceHooks namespace ID - PublisherSecurity Token: Run
az devops security permission update --allow-bit 7 --namespace-id {{ServiceHooks namespace Id}} --subject {{accountUserEmail}} --token PublisherSecurity --output table
- ServiceHooks Namespace: Run
- Personal Access Token: Retrieve a unique personal access token
- Record the token value
- Token Scope: Set to
Custom Defined
- Code Scope: Choose
Read
,Write
, andStatus
permissions - Extensions Scope: Choose
Read
permission - For additional help, see the Azure DevOps documentation
Add the Integration
From the Git Integrations List page, choose Azure DevOps
and:
Enter an
Integration Name
,Organization Name
, and thePersonal Access Token
from the prerequisite step.Click
Test Connection
, then clickAdd
. The Manage Integration page is displayed.Click
Add Sources
on the new integration listing.Add
Repos
one at a time, defining theFolder(s)
to be scanned. ChooseBranches
where Sysdig should run a Pull Request evaluation check (below). Define the branch using a regular expression. You can use.*
to check PRs on all branches or usemain
.The system automatically checks that valid folder names have been entered
Review the
Status
on the Integrations List page.See also the Additional Options.
Additional Options
From the Integrations List page, you can use the burger (3-dot) menu for additional options on an integration.
Start Code Scan Manually
Use this option to trigger a scan before the default 24-hour time is reached.
Delete an Integration
This action deletes associated sources as well.
Pull Request Policy Evaluation
For the branches defined in Git Sources, Sysdig will run a Pull Request Policy Evaluation check. The check scans the Infrastructure-as-Code files in the pull request and identifies violations against the predefined policies.
The result of the check contain the list of violations, their severity and the failed resources list per file.
Example output for GitHub:
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.