Cohesion can be directly integrated into your docker build scripts and docker orchestration deployments.
Docker Compose is a nice orchestration layer that can be used locally and as part of the CI pipeline. Web security tests can be provided in a separate container where Cohesion is installed and run against the application in a safe manner.
Let's get started by defining a docker compose yaml for testing. In this example the file is called "docker-compose.cohesion.yml" and it looks like this:
cohesion: build: . dockerfile: Dockerfile.cohesion links: - web web: build: . dockerfile: Dockerfile links: - redis redis: image: redis
The main "Dockerfile" is our core application/service. The file "Dockerfile.cohesion" is where we are going to define our security testing phase which could look like the following code listing:
FROM secapps/cohesion:latest CMD ["cohesion", "scanner", "--exit='>=7'", "--exit-code=777", "--wait=web", "-vvv", "web"]
Notice that we are using both "--exit" and "--wait" command-line options to configure Cohesion to exit as soon as a critical vulnerability is detected and to wait for the application to stat before starting the tests. The "-vvv" flags will also help by providing the most verbose output for debugging purposes.
Now, let's build the solution:
$ docker-compose -f ./docker-compose.cohesion.yml -p ci build
...and start a fresh testing environment with the following command:
$ docker-compose -f ./docker-compose.test.yml -p ci up -d
To see how our testing phase is doing we need to inspect the logs of the Cohesion container.
$ docker logs -f ci_cohesion_1
To inspect the exit code to check that all security tests have passed:
$ docker wait ci_cohesion_1
While this approach is unusual, it is possible to integrate Cohesion as a build step in your Dockerfile builds. You must use the "--exit" option to make Cohesion effective and fail the build if serious vulnerabilities are encountered. Additionally, the service must be standup when performing dynamic application assessments. This step is optional if cohesion is integrated directly as a library.
Consider the following Dockerfile as an example:
FROM baseimage # Install Node RUN apt-get install --yes curl RUN curl --silent --location https://deb.nodesource.com/setup_9.x | sudo bash - RUN apt-get install --yes nodejs RUN apt-get install --yes build-essential # Install Cohesion RUN npm install @secapps/[email protected] -g # Standup application RUN ./run.sh # Run Cohesion RUN cohesion scanner --exit=">=7" http://localhost:8080 # Cleanup # Setup entrypoint ENTRYPOINT ["./run.sh"]
In the example above, the docker build script will fail if cohesion discovers a vulnerability with the application during the docker build process.