The ZeroNorth Integration Container (“I-C”) provides a way to run the ZeroNorth Platform as a pseudo-onprem solution. The I-C can be triggered to orchestrate entirely within your CI/CD environment, with only the results being upload to the ZeroNorth platform upon completion of the onprem scan. The following diagram illustrates the flow of this use case:
- The code does not leave your environment, unless you are using a scanning service that requires code to be uploaded to the scanning service (ZeroNorth will coordinate this for you).
- You can access your onprem sources (e.g. Bitbucket Enterprise server) that are not be accessible by the ZeroNorth SaaS platform.
- You can utilize scanning servers that are not accessible by the ZeroNorth SaaS platform.
- ZeroNorth platform license and credentials
- A host with Docker installed (see the article ZeroNorth™ Docker Image for CI/CD Pipeline for requirements)
- Docker Hub credentials and privileges to access ZeroNorth’s private docker images (contact email@example.com to request access).
- Connectivity to the scanning server/service.
As of 2020-10-15, ZeroNorth supports onprem scanning for the following SAST/SCA scanners:
- Aqua Trivy -
- Bandit -
- Black Duck Hub -
- Brakeman -
- Checkmarx -
- Nexus IQ Lifecycle -
- OWASP Dependency Check -
- SonarQube -
- Veracode -
- Whitesource -
Setting Up Integration Container:
On the host where the onprem scanning is to happen:
[sudo] docker login, providing the docker credentials that were given access to the ZeroNorth docker images (contact firstname.lastname@example.org for access).
[sudo] docker pull zeronorth/integration:latest
- Ensure that the appropriate runner image is already pulled (see the above list for the runner image names for each scanner)
- Optionally, if you plan to utilize the ZeroNorth Defect Density feature, also pull the image
- The bind mount for
[sudo] is needed if you are logged in as a user who does not belong to the “docker” (“Docker-Users” in Windows) user group.
Use Case - Orchestrate a Scan
This use case covers orchestrating a scan of an application bundle in a local folder (think Jenkins workspace as an example).
Requirements / Assumptions
First, create or select a ZeroNorth Policy whose Target is based on an Integration of Type “Artifact” and has Initial Scans From set to “Customer’s Environment” (a.k.a. “onprem”):
Directions for Orchestrating an Onprem scan
Once the appropriate Policy has been created, use the following docker command to run the I-C:
[sudo] docker run -v /var/run/docker.sock:/var/run/docker.sock -e WORKSPACE=/path/to/the/app/build -v /tmp:/results -e CYBRIC_API_KEY=<API key> -e POLICY_ID=<Policy ID> [-e DEBUG=1] zeronorth/integration:latest python cybric.py
WORKSPACE variable must be set to the full path of the build artifact to scan. The optional
-e DEBUG=1 parameter will cause the I-C to wait for the runner to finish before exiting. Without this option, the I-C will return immediately after spawning the runner.
Use Cases - Ingest Scan Results (Data Load)
This use case covers performing a data load from an onprem scanning tool. This use case makes it possible to automatically import existing scan results from your onprem scanning tool into ZeroNorth’s SaaS platform.
Requirements / Assumptions
This section uses SonarQube as the example scanning server.
Create a ZeroNorth Data Load Policy, which is nearly identical to the orchestrated scan Policy with the following changes:
- Policy Type must be set to “Data Load”.
- Then, in the SonarQube Application Parameters section of the Scan Policy definition (similar options exist for other scanners):
Directions for Ingesting Scan Results
Follow the directions for the onprem syntax:
[sudo] docker run -v /var/run/docker.sock:/var/run/docker.sock -e WORKSPACE=/tmp -v /tmp:/results -e CYBRIC_API_KEY=<API key> -e POLICY_ID=<Policy ID> [-e DEBUG=1] zeronorth/integration:latest python cybric.py
Note that the
WORKSPACE variable must still be provided. In the above example, it was pointed to
Refer to the related article ZeroNorth™ Docker Image for CI/CD Pipeline for additional details and for the BASH script that makes the above two use cases more convenient.