- Author: Pedric Kng
- Updated: 17 Nov 2018
AWS offers many different CI/CD platform;
- CodeCommit - GIT Repository equivalent to Github
- CodeBuild - Continuous integration service for build and test
- AWS CodeDeploy - Continuous deployment service into AWS instances
- CodePipeline - Continuous integration and delivery service; note that it integrates with various AWS solutions; CodeCommit (Source Stage), Codebuild (Build Stage), CodeDeploy (Deploy Stage).
- CodeStar - CodeStar provides a wizard based project type selection to kickstart your application development
- AWS CloudFormation - Model and provision all your cloud infrastructure resources; infrastructure-as-code
There are several ways to integrate CxSAST with a variety of Amazon CI environments, namely;
- Checkmarx CxSAST can pull source code from Amazon CodeCommit out-of-the-box for SAST scan
- Checkmarx CxSAST scan be invoked from Amazon CodeBuild as part of the pre-build phase
- Checkmarx CxSAST can be invoked in CodePipeline as part of CodeBuild or through a Custom Action
Regardless of integration, all scan results are centralized in Checkmarx CxSAST.
CxSAST support out-of-the box pulling source code from Git repository, this is usually practiced in a Security Gate model; whereby testing is executed in the last phase of development and no build servers is deployed.
Currently, AWS CodeCommit supports both HTTPS(username + password) and SSH mechanism to interact with the CodeCommit repository [2]. Both mechanisms are supported with Checkmarx CxSAST [1].
Note that managing credentials in GIT client via AWS CLI Credential Helper(through an Access Key ID and Secret Access Key) is not supported by CxSAST.
Invoking CxSAST from AWS CodeBuild
There are two means to integrate CxSAST with AWS CodePipeline, namely;
- As part of CodeBuild, refer to CodeBuild Integration
- Invoking CxSAST as a custom action
For AWS CLI installation, refer to [4]
aws configure [--profile profile-name]
In addition, you can alter the entries in the AWS CLI files;
- %user_profile%\.aws\credentials
[default]
aws_access_key_id = *AWS ACCESS KEY*
aws_secret_access_key = *AWS SECRET ACCESS KEY*
[CodeCommitProfile]
aws_access_key_id = *AWS ACCESS KEY*
aws_secret_access_key = *AWS SECRET ACCESS KEY*
- %user_profile%\.aws\config
[default]
output = json
region = us-east-1
[profile CodeCommitProfile]
region = ap-southeast-1
output = json
Refer to [5] for more details
aws configure list [--profile profile-name]
aws ec2 describe-images --filters "Name=tag:Name,Values=<AMI Name>" [--profile profile-name]
aws ec2 run-instances --region us-east-1 --image-id <Replace with AMI ID> --count 1 --instance-type r5.xlarge --security-group-ids sg-08ca8e460f086caa9 --subnet-id subnet-03221d4d303e3893d --associate-public-ip-address --tag-specifications "ResourceType=instance,Tags=[{Key=owner,Value=<Replace with UserName>}]" "ResourceType=volume,Tags=[{Key=owner,Value=<Replace with UserName>}]"
aws ec2 describe-instances --filters "Name=tag:owner,Values=<Replace with UserName>" [--profile profile-name]
aws ec2 describe-instances --instance-id <Replace with InstanceID> [--profile profile-name]
aws ec2 start-instances --instance-id <Replace with InstanceID> [--profile profile-name]
aws ec2 stop-instances --instance-id <Replace with InstanceID> [--profile profile-name]
aws ec2 terminate-instances --instance-id <Replace with InstanceID> [--profile profile-name]
Configuring the Connection to a Source Control System on CxSAST [1]
Git with AWS CodeCommit Tutorial [2]
Introducing Git Credentials: A Simple Way to Connect to AWS CodeCommit Repositories Using a Static User Name and Password [3]
Install the AWS Command Line Interface on Microsoft Windows [4]
AWS CLI Name Profile Configuration [5]
AWS CLI Command Reference [6]