Hot Topics
Security Bloggers Network 
SBN

Integrating code security with CI/CD and enterprise tools

by Pan Kamal on September 30, 2022

Developer teams work hard to deliver high quality code that meets business requirements. Having an internal development team that produces source code is a huge investment for any size enterprise. Optimizing these investments creates the drive to deliver more code faster, with higher code quality and that is written to be secure as well. 

End-to-end visibility into the code realization process involving planning, coding, testing, and deployment stages can take place with certain common platforms, however developers have a preference to use their favorite best in breed tools in each of the phases. This is particularly true for cloud based environments. 

There are two main reasons why these tools need to be integrated:

  • It provides teams and their managers to automate the orchestration of code delivery and provision instrumentation that can track individual tasks as well as deliver consolidated progress across disparate application development tools acquired from multiple providers 
  • Equating code security with the same importance as code quality (if not more) drives the need for specific application security tools to be integrated with distinct parts of the code development process. 

Integrations across all of these elements allow security to be integrated into all of the relevant steps for overall security. The process of addressing security concerns very early in the process is a facet of DevSecOps where security starts at the very beginning of the development process thereby enabling security to shift left. 

Application security, and more specifically code security integrations could encompass version control systems, source code management, continuous integration (CI) processes that encompass source code repositories with automated builds, automated testing and exception management with visibility so that entire teams can collaborate on rapid deployment while resolving security risks in flight. 

BluBracket automates the detection, identification, and removal of secrets in code. BluBracket identifies all categories that make up secrets in code, ranks them by risk and provides a means to remediate. BluBracket protects code from leaking into public repositories and prevents secrets and IP from getting into the wrong hands. BluBracket works across multiple git providers, integrates with enterprise CI/CD tools, version control, code servers, identity and access management systems, messaging, ticketing and many other IT resources.

Integrations commonly supported by the BluBracket code security platform include:

  • Local workflow tools 
  • Code servers 
  • CI servers 
  • Identity, authentication, and authorization 
  • Messaging 
  • Ticketing & incident management 
  • Build your own integration

The following section details how each of these integrations can be configured and leveraged for security.

Local workflow tools

The BluBracket CLI tool can identify and block secrets before they’re committed.
The BluBracket CLI tool can identify and block secrets before they’re committed.

Available local tools and integrations

  • CLI
  • IntelliJ (via CLI, full plugin coming soon)
  • Visual Studio Code (via CLI)

Usage guide: installing and using the CLI.

Code servers 

BluBracket scans repositories hosted in GitHub, GitLab, Bitbucket, and others.
BluBracket scans repositories hosted in GitHub, GitLab, Bitbucket, and others.

Certified & supported code servers:

  • GitHub Cloud
  • GitHub Enterprise (including on-prem)
  • GitLab Cloud
  • GitLab on-prem
  • Bitbucket Cloud
  • Bitbucket Server
  • Azure DevOps
  • Gerrit

Usage guide: adding code servers.

CI servers 

BluBracket can identify risks in the CI workflow via GitHub Checks and others.
BluBracket can identify risks in the CI workflow via GitHub Checks and others.

Certified & supported CI servers:

  • GitHub Checks
  • Bitbucket Code Insights
  • Jenkins

Additional integrations are available via our open CI API.

Usage guide: configuring CI checks.

Identity, authentication, and authorization 

BluBracket supports Okta and other single sign-on solutions.
BluBracket supports Okta and other single sign-on solutions.

Certified & supported identity integrations:

  • Azure AD
  • Okta
  • Ping
  • SAML
  • GitHub OAuth
  • Gitlab OAuth (coming soon)
  • Bitbucket OAuth (coming soon)

Messaging 

BluBracket integration with Slack can alert teams about code risks in new commits in real time.
BluBracket integration with Slack can alert teams about code risks in new commits in real time.

Certified & supported messaging integrations:

Ticketing & incident management 

BluBracket can automatically create a Jira ticket when risks are found in new commits.
BluBracket can automatically create a Jira ticket when risks are found in new commits.

Certified & supported ticketing & incident management integrations:

  • Jira
  • ServiceNow
  • PagerDuty
  • Splunk

Build your own 

  • APIs
  • Webhooks (coming soon)

BluBracket’s git access and configuration monitoring tools make it easy to see who and what has access across the codebase, and alert when access permissions don’t conform to policy.

For more information on how BluBracket delivers code security and protects against code leaks visit https://blubracket.com/products/enterprise-edition/To get started with BluBracket for free visit https://blubracket.com/contact/get-started/

*** This is a Security Bloggers Network syndicated blog from BluBracket: Code Security & Secret Detection authored by Pan Kamal. Read the original post at: https://blubracket.com/integrating-code-security-with-ci-cd-and-enterprise-tools/

Pan Kamal

Secure Guardrails