1. Strobes Help Desk
  2. Guides
  3. DevSecOps

SAST Configuration Options

Shamanth Alladi
Updated

The configuration files that you need to create in order to invoke SAST scans can contain the following sections:

  • metadata
  • options
  • severity_rule
  • string_match_rule
  • ignore_string_match_rule
  • alert
  • strobes

Out of these sections only 'metadata' and 'options' are mandatory. The following section explains all the in detail about how to generate a configuration file. 

Metadata

As the name suggests, you can add metadata about your scan configuration in this section. This is only metadata and this will have no impact on the scans being invoked. The only mandatory key under metadata is 'version' in which you will pass the version of triangulum bring used. An example of metadata is as follows:

metadata:
  author: John Reese
  iteration: 5
  version: 1.4.7

You can provide as many keys as you want under metadata.

Options

Under options you need to pass all the options for the scan you want to invoke. The following are the keys that you can pass:

  • analyzer - This is the analyzer name
  • extension - There are three extensions which you can pass. They are 'local', 'git' or 'svn'. 
  • extension_data - This has five sub keys and these 5 sub keys should work for most scanners, but there could be a few scan configurations where additional keys might be required. The sub keys are as follows:
      • type - You can either pass 'local' or 'remote' in this field. 
          • 'local' means that the code is existing on the same machine where the triangulum executable exists. 
          • 'remote' means that a git or svn url will be passed where the code which need to be scanned exists. 
      • scan_type - There are three scan types:
          • all - 'all' means that the entire repo will be scanned. In case if the code is cloned then the entire folder will be scanner which you have provided as the target.
          • commit - 'commit' means that only the files specified in a commit will be scanned. The commit id needs to be sent as a value to this key.
          • staged - 'staged' means that only the files which are about to be pushed as a commit will be scanned.
      • url/path - If the scan is being done on a remote repo, then the key 'url' should be used and the url of the repo has to be passed. If the scanning is being done on your local machine or on a server, then the 'path' key has to be used and the path where the code resides has to be passed.
      • username - If you are initiating a scan on a private repo, the username for that repo has to be passed. That is what will be passed as a value for this key.
      • password - To scan a remote private repo, the password for that repo is required which will be passed as a value for this key. If '2FA' is enabled, then your 'API token' needs to be passed a value for this key instead of your password.
  • scan_data - Under scan_data a key 'loglevel' can be used. There are two possible values which can be sent into this either 'DEBUG' or 'ERROR'. 'DEBUG' means that all the logs will be displayed, 'ERROR' means that only the error logs will get displayed.

An example of options is as follows:

options:
  analyzer: bandit
  scan_data:
    log: DEBUG
  extension: local
  extension_data:
    path: /home/sham/coderepo

Severity Rule

Under severity rule you can set the condition, which when met, you want the build to fail. A sample usage of this condition is as follows, if you want your build to fail if more than 2 medium issues have been identified, you can set a severity rule for that. There are five severities for which you can set the rules. They are 'critical', 'high', 'medium', 'low' and 'info'.

An example of severity rule is as follows:

severity_rule:
  critical: 0
  high: 0
  medium: 2
  low: 0
  info: 0

When the above mentioned severity rule is used, the build if fail if two or more medium issues are identified.

String Match Rule & Ignore String Match Rule

These rules can help you pick or ignore vulnerabilities based on a regex which you can provide. If there are a lot of vulnerabilities from your scan and you only want to identify a certain type of vulnerability, you can write a string match rule for that. If you regularly use a scanner and already know that certain types of vulnerabilities identified by the scanner are false positives in your context, you can write an ignore string match rule. These rules will be most useful when these have been applied on titles and descriptions of the vulnerabilities.

An example of string match rule and ignore string match rule are as follows:

string_match_rule:
  title: r"CVE-\d{4}-d\{1,5}"

ignore_string_match_rule:
  description: r":\W\'"

Alert

Alert can be used to receive a message or mail once a scan is complete. Right now you can receive an update to either slack or your email or both. If you want to receive a message on slack, then you will have to provide your incoming webhook url for slack. If you want to receive a mail, then you will have to configure your smtp details.

An example of alert is as follows:

alert:
  slack:
    url: <slack url>
  smtp:
    hostname: smtp.gmail.com
    port: 587
    username: dummy@gmail.com 
    password: xxxxxxxxxxxxxxx
    to: dummy2@gmail.com 
    tls: enabled

Strobes

If you want to send the results of your scans back to Strobes, then this option can be used. In order to send data onto the Strobes platform, you will have to pass values to three keys. They are as follows:

  • api - You need to pass your webhook url that you generate from the Strobes platform.
  • token - The authorization key which you generate from the Strobes platform.
  • asset_ref - The asset name on the Strobes platform against which you want to populate the findings of your scans.

An example usage of send to strobes is as follows:

strobes:
  api: http://wsa.strobes.co/api/v1/organizations/1c3f982d-fa3d-4a0e-92f5-d1afedcb0d48/connectors/triangulum_cli/webhook/
  token: 80cedf5816c83dfc9ccb621566edb0478eff6ba0
  asset_ref: Athena

 

A final configuration file will look as follows:

triangulum:
  metadata:
    author: John Reese
    iteration: 5
    version: 1.4.7
  options:
     analyzer: bandit
     scan_data:
       log: DEBUG
     extension: local
     extension_data:
       path: /home/sham/coderepo
  severity_rule:
    critical: 0
    high: 0
    medium: 2
    low: 0
    info: 0
  string_match_rule:
    title: r"CVE-\d{4}-d\{1,5}" 
  ignore_string_match_rule:
    description: r":\W\'"
  alert:
    slack:
      url: <slack url>
    smtp:
      hostname: smtp.gmail.com
      port: 587
      username: dummy@gmail.com 
      password: xxxxxxxxxxxxxxx
      to: dummy2@gmail.com 
      tls: enabled 
  strobes:
    api: http://wsa.strobes.co/api/v1/organizations/1c3f982d-fa3d-4a0e-92f5-d1afedcb0d48/connectors/triangulum_cli/webhook/
    token: 80cedf5816c83dfc9ccb621566edb0478eff6ba0
    asset_ref: Athena

Note: Instead of hardcoding any credentials or keys, it is recommended to use environment variables.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section