Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improvements to CI/CD integration #11

Merged
merged 12 commits into from
Mar 15, 2024
Merged

Improvements to CI/CD integration #11

Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
06de028
test commit
surajkewatastra Feb 23, 2024
a309570
fetching scan status from API
surajkewatastra Feb 26, 2024
f2a492d
changes in scan status API payload
surajkewatastra Feb 26, 2024
80c2fb3
added API call to polling API
surajkewatastra Feb 28, 2024
9292b94
extracting vulnerabilitesPageLink also
surajkewatastra Feb 28, 2024
4a97d53
Fixes exit logic, and improves messages
anandakrishna Mar 14, 2024
b8b20d0
changed from .com to .dev
surajkewatastra Mar 15, 2024
89ffdad
adding 500 status response in reposne.txt
surajkewatastra Mar 15, 2024
6a4885d
added echo statements
surajkewatastra Mar 15, 2024
dc4a1e1
remove logs
surajkewatastra Mar 15, 2024
593e202
changed ASTRA_JOB_EXIT_REFETCH_MAX_RETRIES to 20
surajkewatastra Mar 15, 2024
f7c557e
changed .dev to .com
surajkewatastra Mar 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 70 additions & 7 deletions trigger_pentest.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,77 @@
#!/bin/bash

ASTRA_SCAN_START_URL="https://api.getastra.com/webhooks/integrations/ci-cd"
ASTRA_SCAN_STATUS_URL="https://api.getastra.com/webhooks/integrations/ci-cd/scan-status"

URL=https://api.getastra.com/webhooks/integrations/ci-cd
ASTRA_SCAN_TYPE="${ASTRA_SCAN_TYPE:-lightning}"
status_code=$(curl -s -o response.txt -w "%{http_code}" --user-agent "Astra Pentest Trigger Script/1.0" --header "Content-Type: application/json" --request POST --data "{\"accessToken\":\"$ASTRA_ACCESS_TOKEN\",\"projectId\":\"$ASTRA_PROJECT_ID\", \"mode\":\"$ASTRA_AUDIT_MODE\", \"automatedScanType\":\"$ASTRA_SCAN_TYPE\"}" $URL)
if [[ "$status_code" == "200" ]] ; then
echo "✅ Astra pentest was successfully started."
ASTRA_JOB_EXIT_STRATEGY="${ASTRA_JOB_EXIT_STRATEGY:-always_pass}"
ASTRA_JOB_EXIT_REFETCH_INTERVAL="${ASTRA_JOB_EXIT_REFETCH_INTERVAL:-30}"
ASTRA_JOB_EXIT_REFETCH_MAX_RETRIES="${ASTRA_JOB_EXIT_REFETCH_MAX_RETRIES:-20}"
ASTRA_JOB_EXIT_CRITERION="${ASTRA_JOB_EXIT_CRITERION:-severityCount[\\\"high\\\"] > 0 or severityCount[\\\"critical\\\"] > 0}"


response=$(curl -s -o response.txt -w "%{http_code}" --user-agent "Astra Pentest Trigger Script/1.1" --header "Content-Type: application/json" --request POST --data "{\"accessToken\":\"$ASTRA_ACCESS_TOKEN\",\"projectId\":\"$ASTRA_PROJECT_ID\", \"mode\":\"$ASTRA_AUDIT_MODE\", \"automatedScanType\":\"$ASTRA_SCAN_TYPE\", \"targetScopeUri\":\"$ASTRA_TARGET_SCOPE_URI\"}" "$ASTRA_SCAN_START_URL")
status_code=$(tail -n1 <<< "$response")

if [[ "$status_code" == "200" ]]; then
echo "✅ The Astra scan has been successfully initiated."
audit_id=$(awk '/"auditId"/{print $2}' RS=, FS=: response.txt | tr -d '"' | cut -d'}' -f1)
vulnerabilities_page_link=$(awk '/"vulnerabilitesPageLink"/{print $2}' RS=, FS=: response.txt | tr -d '"' | cut -d'}' -f1)
echo ""
echo "Webhook response:"
cat response.txt
elif [[ "$status_code" == "422" ]] ; then
echo "🟡 Cannot start an audit, because an audit might be underway."
echo ""
elif [[ "$status_code" == "422" ]]; then
echo "🟡 Scan initiation failed. Another scan may already be in progress."
echo ""
echo "Webhook response:"
cat response.txt
exit 1
else
echo "⛔ Failed to start pentest."
echo "⛔ Scan initiation failed. HTTP status code: $status_code"
cat response.txt
exit 1
fi

if [[ "$ASTRA_JOB_EXIT_STRATEGY" == "always_pass" ]]; then
echo "The scan is currently in progress, and you can review any detected vulnerabilities in the Astra dashboard. As the ASTRA_JOB_EXIT_STRATEGY is set to always_pass, this job will not be blocked."
exit 0
fi

json_data="{\"accessToken\":\"$ASTRA_ACCESS_TOKEN\",\"auditId\":\"$audit_id\",\"jobExitCriterion\":\"$ASTRA_JOB_EXIT_CRITERION\"}"

for ((retry=0; retry<ASTRA_JOB_EXIT_REFETCH_MAX_RETRIES; retry++)); do

scan_status=$(curl -s -o scan_status_response.txt -w "%{http_code}" \
--user-agent "Astra Pentest Trigger Script/1.1" \
--header "Content-Type: application/json" \
--request POST \
--data "$json_data" \
"$ASTRA_SCAN_STATUS_URL")

if [[ "$scan_status" == "200" ]]; then

audit_progress=$(awk '/"auditProgress"/{print $2}' RS=, FS=: scan_status_response.txt | tr -d '"' | cut -d'}' -f1)
exit_criteria_evaluation=$(awk '/"exitCriteriaEvaluation"/{print $2}' RS=, FS=: scan_status_response.txt | tr -d '"' | cut -d'}' -f1)

if [[ "$ASTRA_JOB_EXIT_STRATEGY" == "fail_when_vulnerable" ]]; then
if [[ "$exit_criteria_evaluation" == "true" ]]; then
echo "⛔ Vulnerabilities have been detected according to the criteria defined in ASTRA_JOB_EXIT_CRITERION. Please review the Astra dashboard for a detailed list of vulnerabilities. Exiting the CI/CD job now..."
exit 1
fi
fi

if [[ "$audit_progress" == "reported" || "$audit_progress" == "reaudit" || "$audit_progress" == "completed" ]]; then
echo "✅ The scan has been successfully completed, without matching the exit criteria."
exit 0
fi

echo "🔍 The scan is currently in progress, and its status has just been refreshed."
else
echo "🟡 Unable to retrieve scan status. Retrying at the next interval..."
fi
sleep "$ASTRA_JOB_EXIT_REFETCH_INTERVAL"
done

echo "🔵 The scan is currently underway, but we are exiting this job as the ASTRA_JOB_EXIT_REFETCH_MAX_RETRIES limit has been reached."
exit 0