Examples
This is an example containing only one "red" finding - so easy to understand.
|
ℹ️
|
With SecHub release 0.20.0 two new features were introduced into the html report. You can find the direct link to the CWE MITRE article of the corresponding CWE-Id within the Type column. This can help you with learning more about the corresponding security finding. In the Description column you can now expand the whole callstack analog to the callstack within the JSON report.
|
Here is a real output from an older SecHub scan (scanned itself):
|
ℹ️
|
The scan was done with SecHub server V0.20.0 |
You can run the SecHub Client in synchronous and asynchronous mode. In synchronous mode your build will break if it isn’t "green" (sechub scan). Whereat in asynchronous mode it will not break your CI/CD pipeline (sechub scanAsync).
Before running the sechub scan.yaml file make sure that you have sechub client installed in your pipeline:
- task: Bash@3
displayName: Install Sechub scanner
inputs:
targetType: inline
script: |
cd /tmp
CLIENT_VERSION=$(curl -s https://mercedes-benz.github.io/sechub/latest/client-download.html | grep https://github.com/mercedes-benz/sechub/ | awk -F '-' '{print $NF}' | sed 's/.zip">//')
curl -L -o sechub-cli.zip https://github.com/mercedes-benz/sechub/releases/download/v$CLIENT_VERSION-client/sechub-cli-$CLIENT_VERSION.zip
unzip sechub-cli.zip
sudo cp platform/linux-amd64/sechub /usr/local/binRun the SecHub client:
parameters:
- name: azureServiceConnection
type: string
steps:
- task: AzureKeyVault@2
inputs:
azureSubscription: ${{ parameters.azureServiceConnection }}
KeyVaultName: "your keyvault name"
SecretsFilter: "sechub-token" //add your sechub-apitoken as secret "sechub-token" in the keyvault
RunAsPreJob: false
- task: Bash@3
displayName: Run Sechub Scan
inputs:
targetType: inline
script: |
export SECHUB_APITOKEN=$(sechub-token)
export SECHUB_USERID="your userid"
export SECHUB_SERVER="sechub server url"
CONFIG_FILE_PATH="path to 'sechub.json'"
sechub -configfile $CONFIG_FILE_PATH -reportformat html scan
mkdir -p $(System.DefaultWorkingDirectory)/scan-reports
mv *.html $(System.DefaultWorkingDirectory)/scan-reports
env:
Sechub-Token: $(sechub-token)
- task: PublishBuildArtifacts@1
displayName: Publish Sechub Scan Reports
inputs:
PathtoPublish: $(System.DefaultWorkingDirectory)/scan-reports
artifactName: 'sechub-scan-reports'For details to the SecHub configuration file please see SecHub configuration.
A working example of a Jenkinsfile can be found within the SecHub project in the continous-integration-multibranch-pipeline.jenkins file.
For the documentation of the SecHub client please refer to SecHub Client.
You can run the SecHub Client in synchronous and asynchronous mode. In synchronous mode your build will break if it isn’t "green" (sechub scan). Whereat in asynchronous mode it will not break your CI/CD pipeline (sechub scanAsync).
Run the SecHub client within your source folder with parameters and default named sechub.json file:
stage('Security scan') {
// set the environment variables within the scan-stage
environment {
SECHUB_USERID = credentials('sechub-userid')
SECHUB_APITOKEN = credentials('sechub-api-token')
SECHUB_SERVER= credentials('sechub-server')
}
steps {
script {
sh "sechub -project ${projectName} scan"
}
}
}Or provide a configuration file (JSON) as parameter:
sh "sechub -configfile otherconfig.json scan"For details to the SecHub configuration file please see SecHub configuration.