Deploy a pipeline that simultaneously detects security issues in multiple code deliverables
Created by Benjamin Morris (AWS), Dina Odum (AWS), Isaiah Schisler (AWS), Sapeksh Madan (AWS), and Tim Hahn (AWS)
Code repository: Simple Code Scanning Pipeline | Environment: PoC or pilot | Technologies: Security, identity, compliance; DevOps |
AWS services: AWS CloudFormation; AWS CodeBuild; AWS CodeCommit; AWS CodePipeline |
Summary
The Simple Code Scanning Pipeline (SCSP)
Before SCSP, scanning code using this particular suite of tools required developers to locate, manually install, and configure the software analysis tools. Even locally installed, all-in-one tools, such as Automated Security Helper (ASH), require configuring a Docker container in order to run. However, with SCSP, a suite of industry-standard code analysis tools runs automatically in the AWS Cloud. With this solution, you use Git to push your code deliverables, and then you receive a visual output with at-a-glance insights into which security checks failed.
Prerequisites and limitations
An active AWS account
One or more code deliverables that you want to scan for security issues
AWS Command Line Interface (AWS CLI), installed and configured
Python version 3.0 or later and pip version 9.0.3 or later, installed
Git, installed
Install git-remote-codecommit on your local workstation
Architecture
Target technology stack
AWS CodeCommit repository
AWS CodeBuild project
AWS CodePipeline pipeline
Amazon Simple Storage Service (Amazon S3) bucket
AWS CloudFormation template
Target architecture
The SCSP for static code analysis is a DevOps project designed to give security feedback on deliverable code.
In the AWS Management Console, log into the target AWS account. Confirm that you are in the AWS Region where you want to deploy the pipeline.
Use the CloudFormation template in the code repository to deploy the SCSP stack. This creates a new CodeCommit repository and CodeBuild project.
Note: As an alternative deployment option, you can use an existing CodeCommit by providing the Amazon Resource Name (ARN) of the repository as a parameter during stack deployment.
Clone the repository to your local workstation, and then add any files to their respective folders in the cloned repository.
Use Git to add, commit, and push the files to the CodeCommit repository.
Pushing to the CodeCommit repository initiates a CodeBuild job. The CodeBuild project uses the security tools to scan the code deliverables.
Review the output of the pipeline. Security tools that found error-level issues will result in failed actions in the pipeline. Fix these errors or suppress them as false positives. Review details of the tool output in the Action details in CodePipeline or in the pipeline’s S3 bucket.
Tools
AWS services
AWS CloudFormation helps you set up AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle across AWS accounts and Regions.
AWS CodeBuild is a fully managed build service that helps you compile source code, run unit tests, and produce artifacts that are ready to deploy.
AWS CodeCommit is a version control service that helps you privately store and manage Git repositories, without needing to manage your own source control system.
Other tools
For a complete list of tools that SCSP uses to scan code deliverables, see the SCSP readme
Code repository
The code for this pattern is available in the Simple Code Scanning Pipeline (SCSP)
Epics
| Task | Description | Skills required |
|---|---|---|
Create the CloudFormation stack. |
This creates a CodeCommit repository, a CodePipeline pipeline, several CodeBuild job definitions, and an S3 bucket. Build runs and scanning results are copied into this bucket. After the CloudFormation stack has been completely deployed, SCSP is ready to use. | AWS DevOps, AWS administrator |
| Task | Description | Skills required |
|---|---|---|
Examine the results of the scan. |
| App developer, AWS DevOps |
Troubleshooting
| Issue | Solution |
|---|---|
HashiCorp Terraform or AWS CloudFormation files aren’t being scanned. | Make sure that Terraform (.tf) and CloudFormation (.yml, .yaml, or .json) files are placed in the appropriate folders in the cloned CodeCommit repository. |
The | Make sure that you have installed |
A concurrency error, such as | Rerun the pipeline by choosing the Release Change button in the CodePipeline console |
Related resources
Provide feedback
Additional information
FAQ
Is the SCSP project the same as Automated Security Helper (ASH)?
No. Use ASH when you want a CLI tool that runs code-scanning tools by using containers. Automated Security Helper (ASH)
Use SCSP when you want an easier setup pipeline than ASH. SCSP requires no local installations. SCSP is designed to run checks individually in a pipeline and display results by tool. SCSP also avoids a lot of the overhead with setting up Docker, and it is operating system (OS) agnostic.
Is SCSP just for security teams?
No, anyone can deploy the pipeline to determine which parts of their code are failing security checks. For example, non-security users can use SCSP to check their code before reviewing with their security teams.
Can I use SCSP if I’m working with another type of repository, such as GitLab, GitHub, or Bitbucket?
You can configure a local git repository to point to two different remote repositories. For example, you could clone an existing GitLab repository, create a SCSP instance (specifying CloudFormation, Terraform, and AWS Config Rules Development Kit (AWS RDK) folders, if needed), and then use git remote add upstream <SCSPGitLink> to point the local repository at the SCSP CodeCommit repository as well. This allows for code changes to be sent to SCSP first, validated, then, after any additional updates are made to address findings, pushed to the GitLab, GitHub, or Bitbucket repository. For more information about multiple remotes, see Push commits to an additional Git repository (AWS blog post).
Note: Be careful of drift, such as avoid making changes through web interfaces. |
Contributing and adding your own actions
SCSP setup is maintained as a GitHub project, which contains the source code for the SCSP AWS Cloud Development Kit (AWS CDK) application.
To add additional checks to the pipeline, the AWS CDK application needs to be updated and then synthesized or deployed into the target AWS account where the pipeline will run. To do this, start by cloning the SCSP GitHub projectlib folder.
If there's an additional check you would like to add, the StandardizedCodeBuildProject class in the AWS CDK code makes it very straightforward to add actions. Provide the name, description, and install or build commands. AWS CDK creates the CodeBuild project by using sensible default values. In addition to creating the build project, you need to add it to the CodePipeline actions in the build stage. When designing a new check, the action should FAIL if the scanning tool detects problems or fails to run. The action should PASS if the scanning tool doesn't detect any problems. For an example of configuring a tool, review the code for the Bandit action.
For more information about expected input and outputs, see the repository documentation
If you add custom actions, you need to deploy SCSP by using cdk deploy or cdk synth + CloudFormation deploy. This is because the Quick create stack CloudFormation template is maintained by the repo owners.
