Perform the initial configuration

#Create Private SSH Key

Login in to the portal and go to the Auditor section.

In this section enter the URL for the Auditor and its access token.

Reminder

The default port is 8080.

After you enter the data, the fields:

bash
Copy code
Unreachable

bash
Copy code
Not authenticated

will change to:

bash
Copy code
Connected

bash
Copy code
Authenticated

This means that the portal is able to connect to the auditor’s address and authenticate. The next step is to create a private key using ssh-keygen (ssh-keygen is the standard utility included with OpenSSH).

Copy the generated private key and paste it into the Private SSH Key field.

Next, you need to create the public key and add it to your Git profile settings.

Copy the public key you’ve just created and go to your Git Profil → Preferences → SSH Keys and click the Add Key button.

Paste the key and give it a name. In this lesson, we named it “Test”.

After you added the keys in Git, you will be able to clone private repositories.

#Configure the Code Downloader job

Go to the Jobs → Code downloader.

Here, change servers to those which are used in your company.

For example: gitlab.company.com. To do this scroll down to the command section:

ssh-keyscan -H gitlab.company.com >> ~/ .ssh/known_hosts

This job will perform an SSH host verification of your GitLab and mark it as trusted. Make sure Auditor Service has access to your GitSSH port. Nothing else needs to be changed.

#Create a new sequence

Go to the Sequences section and click the ”+ create” icon at the right side of the screen.

Input the desired name of your sequence and click Create

If you need to scan the code, a sequence must start with the Code Downloader job.

Click on add +, and select a Code Downloader from the drop-down list.

Next, select a scanner. For example, we will use Bandit.

Any job can be viewed and edited here at Auditor job configs.

There are variables, such as Repository, that are mandatory for the job to run.

#Scan type

Here you can choose from the different scanners in the drop-down list

In future lessons, you will learn how to add them to our portal.

#Report file name

The auditor uses this variable to know which files should be sent to the portal as a report.

Important note When writing your jobs, remember that they must send their results to the data folder and then you can use report file name. It is set in the Run command field in the Auditor job configs

bash
Copy code
bandit -1l1 -ii -r ./$SEC_CODE_FOLDER -f json -o /data/$REPORT_FILE_NAME

Also, you can use our default settings.

#Start a scan

If you don’t have any assets, you can click Add Repository at the right side of the screen.

For now, you can add them manually. Specify the job sequence as Demo and click Create an asset. Find it in the list of assets and manually start an audit by clicking Run audit button.

You’ll see that pipelines start running.

Note

All these pipelines write information to the logs while execution.

You can look at every single job.

#Settings

#Cleaner

Here you can configure the cleanup of artifacts. By default, the value is set for one day.

#Jobs

Here you’ll see all the jobs with our images. By the way, you can use your own images.

#Docker credentials

Here you can specify the Docker credentials, which are needed to pull images from private Docker registries.

#Workers

Here you can see information about workers and their status.

#Timeout

Here you can set timeouts for your pipelines to prevent them from running too long.

#DNS

Here you can add your custom DNS servers.