[Blackhat Europe tool] huskyCI: Performing security tests inside your CI

huskyCI – Performing security tests inside your CI

huskyCI is an open-source tool that performs security tests inside CI pipelines of multiple projects and centralizes all results into a database for further analysis and metrics.

How does it work?

The main goal of this project is to help development teams improve the quality of their code by finding vulnerabilities as quickly as possible, and thus addressing them.

It can perform static security analysis in Python (Bandit and Safety), Ruby (Brakeman), JavaScript (Npm Audit and Yarn Audit), Golang (Gosec), and Java(SpotBugs plus Find Sec Bugs). It can also audit repositories for secrets like AWS Secret Keys, Private SSH Keys, and many others using GitLeaks. You should check our wiki to better understand how this tool could help securing your organization’s projects!

Architecture

This page describes in high level how huskyCI works and how the components work.

• huskyCI API (git api folder): is responsible for taking decisions and centralizing all security tests results data. API authenticates users using OpenID Connect and apps using locally issued tokens (managed by API). API has all information about repos, clusters, organizations, security tests, outputs, inputs and how these entities are related.
• huskyCI CLI Client (git cli folder): is a command-line interface responsible for managing huskyCI activities such as adding repositories, add/editing/removing security tests, auth tokens, ignoring certain vulnerabilities checks and many more.
• huskyCI UI Client (git ui folder): is web interface that acts like a CLI interface using web browser.
• huskyCI workers (git workers folder): are responsible for interacting with huskyCI API and huskyCI Clusters to manage security tests. Use of workers are not mandatory, but is necessary when API can not connect directly on desired clusters.
• huskyCI cluster: is a group of systems that runs huskyCI security tests. Cluster can be a set of linux hosts with DockerAPI installed or a kubernetes cluster.

Frontend

It has also a cool Frontend built in React so you can check some stats regarding your huskyCI results! After running your first scan, simply visit:

http://localhost:8080

Install && Use

Copyright (c) 2018, Globo.com authors. All rights reserved.