How to add a Security Gateway to TeamCity30 Apr 2019 by Malena Ebert
With our latest release RIPS 3.1 we published our new integration plugin for TeamCity. It is implemented as a security gateway to automatically check your code builds for the existence of security vulnerabilities and related code quality issues. See how RIPS can automatically protect your production server from new security bugs.
TeamCity is a continuous integration (CI) and deployment server which is developed by Jetbrains. It was released in 2006 as a commercial software but can also be used free of charge within a certain scale. Next to Bamboo and Jenkins it is one of the most common solutions to build and deploy applications to servers today. Its modularity allows to install a wide range of plugins that can extend the system and define new actions for each build step.
RIPS Security Analysis Plugin
Our new plugin integrates RIPS security analysis into the CI server as a new build step called
RIPS Security Scan. It enables to automate the security testing of your application’s source code before it is deployed in order to detect and block new security issues before it is too late.
The most comfortable way to install the plugin is using the Jetbrains Plugin Repository. To install it, simply browse to the
Plugins List of your TeamCity installation and select
Browse plugins repository where you can search for “RIPS Security Analysis”. Alternatively, you can also perform a manual installation with the plugin archive from our knowledge base. That’s it, now you are ready to go and can add and configure your first security gateway to one of your projects.
The configuration dialog shown in Figure 1 looks similar to all of our other integration plugins. First you need to authenticate the plugin to your RIPS server instance that will perform the security analysis. After that you are able to select your application that should be analyzed.
The other fields are not mandatory and have default values. In order to fail the build when RIPS found too many new issues, you can enable vulnerability thresholds. An empty value skips the severity type entirely. A value equals zero does not allow any issues of this severity type.
To deeply configure your RIPS scan, we recommend to create an analysis profile in your RIPS instance. For example, here you can ignore files and folders, disable or enable certain issue types you are interested in, or add custom rules for advanced security testing. RIPS will use your current default profile automatically but you can also select a specific profile for each CI build step individually.
If the scan triggers the security gateway, a message similar as the one depicted Figure 2 will be raised. Our plugin uses the native reporting system of TeamCity to integrate as seamless as possible.
In this example the vulnerability threshold of 10 high-severe vulnerabilities was reached and TeamCity warns about a build problem. Based on the configuration of your build steps, you can decide if your build in TeamCity should fail completely or if certain further build steps should still be executed.
The RIPS Security Analysis plugin for TeamCity allows to integrate RIPS seamlessly into your build process for automated security scans, without the need to change any of your existing build tools. This enables you to uncover real security threats in your application’s source code before these are deployed to production systems. You can find more information and a detailed description of the configuration options of this plugin in our knowledge base.