Configuring Triangulum In Github Actions

Triangulum is the scanning engine that the Strobes platform uses. The following is a complete list of analyzers that Triangulum supports:

• Bandit
• Prowler
• ZAP
• Spotbugs
• Nodejs Scan
• Anchore
• Brakeman
• Eslint
• Phpcs
• Trivy
• SCodeScanner
• Gitleaks
• Gosec
• Flawfinder
• Cloudmapper
• Dependency
• Nmap
• Sonarqube
• Nessus
• Checkov
• Subfinder
• Cloudsploit
• Burpsuite
• Nuclei
• Semgrep
• MobSF
• ReconX

Using Triangulum you can initiate any of the above mentioned scans either locally or within the Github Actions CI/CD.

The difference between the 'Strobes API Scan' and the 'Triangulum CLI Scan' is that with the Strobes API Scan vulnerabilities will be sent back to Strobes from where you can manage those vulnerabilities.

Head over to the Github Marketplace and search for 'Strobes'. The search will return two results 'Strobes API Scan' and 'Triangulum CLI Scan'. We will be focusing on the 'Triangulum CLI Scan' in this article




Click on 'Triangulum CLI Scan' and click on 'Use latest version'. You will be provided with a snippet which you will have to include into your .yml file.



This configuration will allow you to invoke Triangulum scans. There are two parts to initiating a triangulum scan through github actions. They are as follows:

• The first part is creating a '.triangulum' folder and adding configurations for the scans that you need to invoke. For example, if you need to invoke a Bandit scan then you need to create a .yml configuration for bandit, and if you need to invoke a Gitleaks scan you need to create a .yml file for gitleaks. You can create config files for multiple scanners and they will all get invoked.
• The second part is creating a workflow on your Github repo to trigger the scan configurations created.

For the sake of demonstration we will be configuring and running a bandit scan against the code of DVPWA.

Creating a Bandit Configuration

• Create a folder named '.triangulum' in your Github Repo and add a file named 'bandit.yml'.
  
  
  
  
  
• In this file you can enter the 'Metadata', 'Options' and 'Rules'. Each of these are explained below:
  • Metadata : Under metadata you can add any metadata that you need like a 'name', 'date' etc and it requires the 'version' of triangulum being used.
  • Options : Under options you select the analyzer/scanner which you want to run from the mentioned list. The input parameters that you need to feed under options will differ for various analyzers. The following are the input fields required to configure a bandit scan:
    • • analyzer : The name of the analyzer. In this case the value will be 'bandit'
      • scan_data : The logs of the analyzer. You can choose from three options:
        - DEBUG
        - INFO
        - ERROR
      • extension : In this input field you enter whether the directory you are scanning is 'remote' or 'local'.
      • extension_data : In this input field you enter the path where your code exists.
  • Rules : You can input the number of issues identified at which you want your build to fail. The way you input rules is as follows:

    • • rules:
            critical: 1
            medium: 10

You can set rules for 'Critical', 'High', 'Medium', and 'Low' level issues.

A sample configuration in the .yml looks like the following:

triangulum:
  metadata:
    version: '1.3.0'

  options:
    analyzer: bandit
    scan_data:
      log: DEBUG
    extension: local
    extension_data:
      path: .

You can find the complete list of example configurations here.

Triggering a Scan Using Github Actions

• In your 'Github Repo' click on 'Actions' and click on 'Set up a workflow yourself' if you don't already have a workflow.
• Now a .yml file will be generated for you.
  
  
  
  
  
• Under your 'Steps' you will have to add the snippet which you have obtained from here.
• To trigger a Triangulum Scan one 'Input Parameter' is required and this input parameter will be defined under the 'with' key as follows:
  • 'download_url' : This url is used to download Triangulum and run. The download link for the latest version of triangulum can be found here.

A Sample Snippet in the .yml file looks like the following:

- name: Triangulum CLI Scan
  uses: strobes-co/triangulum-action@v1.1.0
  with:
    download_url: https://triangulum-cli.s3.ap-south-1.amazonaws.com/1.3.0/linux/triangulum

Now whenever you commit any code, the bandit scan will get invoked on your repo as shown below. If you have configured more than one scanners, they all will get invoked.



In this case we have not added any rules hence the build was successful. But in the bandit configuration .yml file if you add a rule like the following, the build would fail.

rules:
    medium: 2