DocumentationAPI Reference

Code vulnerability scanner

Suggest Edits

Cisco Panoptica works upstream in the CI/CD pipeline to identify serverless functions that are ready to be deployed in your AWS account. In this way, you can identify serverless functions upfront, and authorize only these functions when they are deployed to your account. The function authorization will verify that only functions that came from the CI/CD pipeline will be deployed, while unknown functions- those without a Panoptica identity - will be blocked or detected (deployed, but marked as "unknown").
In addition to the function identity, Panoptica also performs vulnerabilities scanning when the images or the code’s zip file are built in the CI stage. You can define the vulnerabilities thresholds that are required, in order to permit functions to pass the CI stage.

This is page relates to code zip files. If your serverless function uses container image, follow the Docker plugin instructions.

The plugin sends information to Panoptica about the zip file, which Panoptica uses to generate an identity.

Install the Plugin

  1. On the Panoptica console, create a user with the Service role. This user will be used by plugin. Copy the value of the Access Token; it will be used by the plugin (see below).
  2. Navigate to the CI/CD page, and select the PLUGINS tab. Scroll to Code Vulnerability Scanner.
  3. Download the plugin using the link on the page.

Use the plugin

Basic usage

example:

securecn_deployment_cli run-code-vulnerability-scan --access-key $ACCESS_KEY --secret-key $SECRET_KEY –code-identifier $CODE_NAME --zip-path-to-scan $PATH_TO_ZIP_FILE

Code identifier
The code identifier will help us to update code vulnerabilities results after each change. The code name should be represent this piece of code and should be unique across the organization. For example "authentication-server" or "myapp-front-end"

Panoptica credentials

The access_key and secret_key values are from the Access token, created on Panoptica, in the preceding step. Alternatively, you can store those credentials as env variables (PORTSHIFT_CLI_ACCESS_KEY, PORTSHIFT_CLI_SECRET_KEY) and remove it from the command.
example:

export PORTSHIFT_CLI_ACCESS_KEY=XXXXXXX
export PORTSHIFT_CLI_SECRET_KEY=XXXXXXX
securecn_deployment_cli run-code-vulnerability-scan –code-identifier $CODE_NAME --zip-path-to-scan $PATH_TO_ZIP_FILE

Scan zip file that stored in aws s3 bucket

You can also scan a file that is stored in an AWS S3 bucket, by providing the S3 uri, and authentication details:
Using AWS profile:
example

AWS_PROFILE=$AWS_PROFILE_NAME AWS_REGION=$AWS_REGION securecn_deployment_cli run-code-vulnerability-scan --access-key $ACCESS_KEY --secret-key $SECRET_KEY –code-identifier $CODE_NAME --zip-path-to-scan $PATH_TO_ZIP_FILE -s3-uri-to-scan $AWS_S3_URI

Using AWS access and secret access key:
example

AWS_ACCES_KEY_ID=$AWS_ACCESS_KEY AWS_SECRET_ACCESS_KEY=$AWS_SECRET_KEY  AWS _REGION=$AWS_REGION securecn_deployment_cli run-code-vulnerability-scan --access-key $ACCESS_KEY --secret-key $SECRET_KEY –code-identifier $CODE_NAME --zip-path-to-scan $PATH_TO_ZIP_FILE -s3-uri-to-scan $AWS_S3_URI

Fail on scan results

In some cases you will want the scanner to fail, according to its findings. You can set this in the CI/CD Scan Policy in the Panoptica console, and with flags in the scan command. If a policy is configured and the flags exists in the command, the scanner will fail according to the policy.

  • highest vulnerability severity flag: --highest-severity-allowed The highest vulnerability severity allowed. Valid values: CRITICAL, HIGH, MEDIUM, LOW, or UNKNOWN
securecn_deployment_cli run-code-vulnerability-scan --access-key $ACCESS_KEY --secret-key $SECRET_KEY –code-identifier $CODE_NAME --zip-path-to-scan $PATH_TO_ZIP_FILE --highest-severity-allowed HIGH

Updated 3 months ago