How to add a Security Gateway to TeamCity


Security Gateway for TeamCity

With our latest release RIPS 3.1 we published our new integration plugin for TeamCity. It is implemented as a security gateway to automatically check your code builds for the existence of security vulnerabilities and related code quality issues. See how RIPS can automatically protect your production server from new security bugs.

TeamCity

TeamCity is a continuous integration (CI) and deployment server which is developed by Jetbrains. It was released in 2006 as a commercial software but can also be used free of charge within a certain scale. Next to Bamboo and Jenkins it is one of the most common solutions to build and deploy applications to servers today. Its modularity allows to install a wide range of plugins that can extend the system and define new actions for each build step.

RIPS Security Analysis Plugin

Our new plugin integrates RIPS security analysis into the CI server as a new build step called RIPS Security Scan. It enables to automate the security testing of your application’s source code before it is deployed in order to detect and block new security issues before it is too late.

Installation

The most comfortable way to install the plugin is using the Jetbrains Plugin Repository. To install it, simply browse to the Plugins List of your TeamCity installation and select Browse plugins repository where you can search for “RIPS Security Analysis”. Alternatively, you can also perform a manual installation with the plugin archive from our knowledge base. That’s it, now you are ready to go and can add and configure your first security gateway to one of your projects.

Configuration

The configuration dialog shown in Figure 1 looks similar to all of our other integration plugins. First you need to authenticate the plugin to your RIPS server instance that will perform the security analysis. After that you are able to select your application that should be analyzed.

Figure 1: Configuration of RIPS Security Analysis Plugin

The other fields are not mandatory and have default values. In order to fail the build when RIPS found too many new issues, you can enable vulnerability thresholds. An empty value skips the severity type entirely. A value equals zero does not allow any issues of this severity type.

To deeply configure your RIPS scan, we recommend to create an analysis profile in your RIPS instance. For example, here you can ignore files and folders, disable or enable certain issue types you are interested in, or add custom rules for advanced security testing. RIPS will use your current default profile automatically but you can also select a specific profile for each CI build step individually.

Gateway

If the scan triggers the security gateway, a message similar as the one depicted Figure 2 will be raised. Our plugin uses the native reporting system of TeamCity to integrate as seamless as possible.

Figure 2: Example of a Failed Build Result

In this example the vulnerability threshold of 10 high-severe vulnerabilities was reached and TeamCity warns about a build problem. Based on the configuration of your build steps, you can decide if your build in TeamCity should fail completely or if certain further build steps should still be executed.

Figure 3: Build Step Configuration in TeamCity

Summary

The RIPS Security Analysis plugin for TeamCity allows to integrate RIPS seamlessly into your build process for automated security scans, without the need to change any of your existing build tools. This enables you to uncover real security threats in your application’s source code before these are deployed to production systems. You can find more information and a detailed description of the configuration options of this plugin in our knowledge base.


Tags: malena ebert, security gateway, teamcity, ci, integration, plugin, java, php,

Author: Malena Ebert

System Integration Engineer

Malena has a Master's degree in IT security from the Ruhr-University Bochum and is a professional software engineer. She likes to become acquainted with new modern programming language concepts and always keeps the security aspect in mind.

Is your application secure?  Scan Your Code


Related Posts

Comments

comments powered by Disqus