by: DefenseCode |

DefenseCode is delighted to announce that we have joined the CircleCI’s integrated solution partner program to provide an opportunity for over 35,000 customer organizations and more than 800,000 developers to automate their code security processes by integrating ThunderScan® SAST solution within CI/CD pipeline.

In order to help users automate the DevSecOps processes, DefenseCode created a ThunderScan® CircleCI Orb. Orbs are reusable snippets of code that help automate repeated processes, speed up project setup and make it easy to integrate with third-party tools.

 

ThunderScan Orb

DefenseCode ThunderScan® CircleCI orb is available in the CircleCI public registry of Orbs as a certified partner. By utilizing our orb, you can download ThunderScan® API clients, run a security analysis, and monitor your project with a single line of code. Additionally, also customize how your project interacts with ThunderScan® by setting thresholds for failing builds and generate reports in variety of formats including HTML, PDF, JSON and XML.

Usage Examples

The example below shows how to import the ThunderScan® orb into your CircleCI config file.

version: 2.1

orbs:
  thunderscan: defensecode/thunderscan@1.0

To define a simple scan job that will break the build if a scan results in more than one high risk vulnerability, export HTML and JSON reports from a ThunderScan® scan and store them as artifacts, we can use the following example:

workflows:
   build:
     jobs:
       - thunderscan/scan:
           threshold: "high:1"
           report: true
           report-filename: thunderscan-report
           report-format: html,json
           scan-name: "$CIRCLE_PROJECT_REPONAME/$CIRCLE_BUILD_NUM"
           post-run:
             - store_artifacts:
                 path: ./thunderscan-report.json
             - store_artifacts:
                 path: ./thunderscan-report.html

The environment variables containing the URL of the ThunderScan® API instance (THUNDERSCAN_API_URL)  and API token (THUNDERSCAN_API_TOKEN) should be set in the context or project variables.

ThunderScan® orb performs a checkout of the repository to make it available to the job, downloads the command line client which is then invoked to: zip, upload and initiate a scan with provided parameters (full list of parameters is available in the orb listing).

 

About DefenseCode

DefenseCode is rapidly becoming a widely recognized leader in application security testing, security consultancy and vulnerability research.

Privately founded in 2010, we provide a range of consulting and assessment services to help organizations measure their security posture, build a thorough and compliant security program to support their business strategy. Our clients come from e-banking, finance, telecommunications, insurance, legal, IT and retail sectors across the globe.

DefenseCode delivers solutions and services designed to analyze and test web, desktop and mobile applications for security vulnerabilities using WebStrike®  Dynamic Application Security Testing (DAST, BlackBox Testing) and ThunderScan® Static Application Security Testing (SAST, WhiteBox Testing) technologies. DefenseCode has in-depth experience of penetration testing, zero-day vulnerability research, security audit and source code security analysis.