ZeroNorth™ Integration-Container - Onprem Scanning

Overview:

The ZeroNorth Integration Container (“I-C”) provides a way to run the ZeroNorth Platform as a pseudo-onprem solution. The I-C can be triggered to orchestrate entirely within your CI/CD environment, with only the results being upload to the ZeroNorth platform upon completion of the onprem scan. The following diagram illustrates the flow of this use case:

Benefits

  • The code does not leave your environment, unless you are using a scanning service that requires code to be uploaded to the scanning service (ZeroNorth will coordinate this for you).
  • You can access your onprem sources (e.g. Bitbucket Enterprise server) that are not be accessible by the ZeroNorth SaaS platform.
  • You can utilize scanning servers that are not accessible by the ZeroNorth SaaS platform.

Prerequisites

  • ZeroNorth platform license and credentials
  • A host with Docker installed (see the article ZeroNorth™ Docker Image for CI/CD Pipeline for requirements)
  • Docker Hub credentials and privileges to access ZeroNorth’s private docker images (contact [email protected] to request access).
  • Connectivity to the scanning server/service.

Supported Scanners:

As of 2020-10-15, ZeroNorth supports onprem scanning for the following SAST/SCA scanners:

  • Aqua Trivy - zeronorth/aqua-trivy-job-runner
  • Bandit - zeronorth/bandit-job-runner
  • Black Duck Hub - zeronorth/blackduckhub-job-runner
  • Brakeman - zeronorth/brakeman-job-runner
  • Checkmarx - zeronorth/checkmarx-job-runner
  • Nexus IQ Lifecycle - zeronorth/nexusiq-job-runner
  • OWASP Dependency Check - zeronorth/owasp-5-job-runner
  • SonarQube - zeronorth/sonarqube-agent-job-runner
  • Veracode - zeronorth/veracode-agent-job-runner
  • Whitesource - zeronorth/whitesource-agent-job-runner

Setting Up Integration Container:

On the host where the onprem scanning is to happen:

  • [sudo] docker login , providing the docker credentials that were given access to the ZeroNorth docker images (contact [email protected] for access).
  • [sudo] docker pull zeronorth/integration:latest
  • Ensure that the appropriate runner image is already pulled (see the above list for the runner image names for each scanner)
  • Optionally, if you plan to utilize the ZeroNorth Defect Density feature, also pull the image zeronorth/marmalade-runner:latest .
  • The bind mount for /var/run/docker.sock is required.

[sudo] is needed if you are logged in as a user who does not belong to the “docker” (“Docker-Users” in Windows) user group.

Use Case - Orchestrate a Scan

This use case covers orchestrating a scan of an application bundle in a local folder (think Jenkins workspace as an example).

Requirements / Assumptions

First, create or select a ZeroNorth Policy whose Target is based on an Integration of Type “Artifact” and has Initial Scans From set to “Customer’s Environment” (a.k.a. “onprem”):

Directions for Orchestrating an Onprem scan

Once the appropriate Policy has been created, use the following docker command to run the I-C:

[sudo] docker run -v /var/run/docker.sock:/var/run/docker.sock -e WORKSPACE=/path/to/the/app/build -v /tmp:/results -e CYBRIC_API_KEY=<API key> -e POLICY_ID=<Policy ID> [-e DEBUG=1] zeronorth/integration:latest python cybric.py

The WORKSPACE variable must be set to the full path of the build artifact to scan. The optional -e DEBUG=1 parameter will cause the I-C to wait for the runner to finish before exiting. Without this option, the I-C will return immediately after spawning the runner.

Use Cases - Ingest Scan Results (Data Load)

This use case covers performing a data load from an onprem scanning tool. This use case makes it possible to automatically import existing scan results from your onprem scanning tool into ZeroNorth’s SaaS platform.

Requirements / Assumptions

This section uses SonarQube as the example scanning server.

Create a ZeroNorth Data Load Policy, which is nearly identical to the orchestrated scan Policy with the following changes:

  • Policy Type must be set to “Data Load”.
  • Then, in the SonarQube Application Parameters section of the Scan Policy definition (similar options exist for other scanners):

Directions for Ingesting Scan Results

Follow the directions for the onprem syntax:

[sudo] docker run -v /var/run/docker.sock:/var/run/docker.sock -e WORKSPACE=/tmp -v /tmp:/results -e CYBRIC_API_KEY=<API key> -e POLICY_ID=<Policy ID> [-e DEBUG=1] zeronorth/integration:latest python cybric.py

Note that the WORKSPACE variable must still be provided. In the above example, it was pointed to /tmp .

Additional Information

Refer to the related article ZeroNorth™ Docker Image for CI/CD Pipeline for additional details and for the BASH script that makes the above two use cases more convenient.