R&S®Trusted Application Factory

# Integrate into gitlab-ci

# Overview

To integrate R&S®Trusted Application Factory to be efficient, it must be put between the CI test suite and the backend. The tests must be configured to have TAF as their destination, and TAF must be configured so that its backend is the tested application.

These are examples of how to integrate R&S®Trusted Application Factory into a gitlab-ci test pipeline. It will use appsec_settings.yaml to configure itself.

Both examples use a classic TAF configuration file:

---
apiVersion: core/v1beta
kind: App
metadata:
  name: my-api
spec:
  name: appsec
  alias: appsec:8080
  log_level: warn
  workflow: my-workflow
  workflow_params:
    exceptions: my-configurations
---
apiVersion: core/v1beta
kind: Workflow
metadata:
  name: my-workflow
spec:
  entrypoint: main
  source: |-
    package main

    func main(icx_policy ICXConfiguration, exceptions SecurityExceptionConfiguration) {
        ActionICXSecurityEngine(Args{"configuration": "${params.icx_policy}"})
        ActionSecurityExceptionManagement(Args{"configuration": "${params.exceptions}"})
        ActionLogAlert()
        if security.exception.blocked == true {
            ActionGenerateResponse(Args{"status": "403", "content": "<html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access ${http.request.path} on this server.</p></body></html>"})
        } else {
            ActionProxyRequest()
        }
    }
---
apiVersion: core/v1beta
kind: SecurityException
metadata:
  name: my-configurations
spec:
  rules:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

# Example 1: dummy API

Here the tested application is a dummy api (https://github.com/espebra/dummy-api), you should replace it according to your testing purposes.

test:
  stage: test
  image: $CI_REGISTRY_IMAGE/builder:v4
  services:
    - name: cr.trustedapphub.io/appsec-runtime:0.3.0
      alias: appsec
  variables:
    APP_LOCAL_AUTH_KEY: "http://build:1337/"    # Tested application
    APP_LOCAL_AUTH_KEY: "changeme"          # this key will be used to authenticate with appsecctl auth login command
    APPSEC_HOST: "appsec:8080"              # use this variable to configure your tests target
  script:
    # Launch tested backend
    - ./dummy-api -host 0.0.0.0 -verbose &
    # Inject TAF configuration and start it
    - appsecctl auth login -l appsec -c "changeme"
    - envsubst < ./appsec_settings.yaml | appsecctl -H appsec -k apply -f -
    # Run tests
    - gauge -d tests run specs -v
    # Kill backend app
    - pkill dummy-api
  after_script:
    # Display raised security events in the tests output, and propose exceptions
    - appsecctl -H appsec -k logs --hints
  artifacts:
    paths:
      - tests/reports/
    when: always
  tags:
    - devsecops
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

# Example 2: a nodejs app

Here, the tested application is a nodejs application using mongodb.

test:
  stage: test
  image: $CI_REGISTRY_IMAGE/builder:v3
  services:
    - name: $CI_REGISTRY_IMAGE/appsec:v3
      alias: waf
  variables:
    APP_LOCAL_AUTH_KEY: "http://build:1337/"    # Tested application
    APP_LOCAL_AUTH_KEY: "changeme"          # this key will be used to authenticate with appsecctl auth login command
    APPSEC_HOST: "waf:8080"                 # use this variable to configure your tests target
  before_script:
    - npm install
    - mongod &
    - npm start &
  script:
    - npm test
  after_script:
    - appsecctl auth login -l appsec -c "changeme"
    - appsecctl -H waf -k logs --hints
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Last Updated: 2/14/2022, 10:46:05 AM

Default workflows