Skip to content

buildkite-plugins/wiz-buildkite-plugin

BranchesTags
 
 

Repository files navigation

Wiz Buildkite Plugin

Wiz logo image

Scans your infrastructure-as-code Cloudformation stacks or docker images for security vulnerabilities using wiz

This plugin is forked from blstrco/wiz-buildkite-plugin.

Requirements

In order to use this plugin, you will need to have the following installed on your buildkite agent:

  • Docker

And the following environment variables exported in the job (e.g. via an Agent hook or Plugin):

  • WIZ_CLIENT_ID (Wiz service account's client ID)
  • WIZ_CLIENT_SECRET (Wiz service account's secret)

Check out Buildkite's documentation for more information on how to manage secrets in Buildkite.

Examples

Docker Scanning

Add the following to your pipeline.yml, the plugin will pull the image, scan it using wiz and create a buildkite annotation with the results.

steps:
  - command: ls
    plugins:
      - wiz#v1.4.0:
          scan-type: 'docker'
          image-address: "<image-address-to-pull-and-scan>"

If you are using the AWS Assume Role Plugin, you might have trouble getting your secret key from aws secretsmanager if the role you assumed doesn't have the necessary access rights. To restore your role, you can use the AWS Restore Role Buildkite Plugin before the wiz plugin.

  plugins:
      - franklin-ross/aws-restore-role#HEAD
      - wiz#v1.4.0:
        scan-type: 'docker'

AWS cdk diff Scanning

To avoid adding build time overhead, you can add IaC scanning to your cdk diff step. You will need to mount/export the cdk.out folder and pass its path to the plugin. The plugin will then scan each Cloudformation stack in the folder and create a buildkite annotation with the results.

steps:
  - command: ls
    plugins:
      - docker-compose#v4.16.0:
        # to get the output of CDK diff, mount the volume in cdk diff stage
        - volumes:
          - './infrastructure/cdk.out:/app/infrastructure/cdk.out'
      - wiz#v1.4.0:
          scan-type: 'iac'
          path: "infrastructure/cdk.out"

CloudFormation templates Scanning

Add the following to your pipeline.yml, the plugin will scan a specific CloudFormation template and related Parameter file.

steps:
  - label: "Scan CloudFormation template file"
    command: ls
    plugins:
      - wiz#v1.4.0:
          scan-type: 'iac'
          iac-type: 'Cloudformation'
          path: 'cf-template.yaml'
          parameter-files: 'params.json'

This can also be used to scan CloudFormation templates that have been synthesized via the AWS CDK e.g., cdk synth > example.yaml

Terraform Files Scanning

Add the following to your pipeline.yml, the plugin will scan a specific Terraform File and related Parameter file.

steps:
  - label: "Scan Terraform File"
    command: ls *.tf
    plugins:
      - wiz#v1.4.0:
          scan-type: 'iac'
          iac-type: 'Terraform'
          path: 'main.tf'
          parameter-files: 'variables.tf'

By default, path parameter will be the root of your repository, and scan all Terraform files in the directory. To change the directory, add the following to your pipeline.yml, the plugin will scan the chosen directory.

steps:
  - label: "Scan Terraform Files in Directory"
    command: ls my-terraform-dir/*.tf
    plugins:
      - wiz#v1.4.0:
          scan-type: 'iac'
          iac-type: 'Terraform'
          path: 'my-terraform-dir'

Terraform Plan Scanning

Add the following to your pipeline.yml, the plugin will scan a Terraform Plan.

steps:
  - label: "Scan Terraform Plan"
    command: terraform plan -out plan.tfplan && terraform show -json plan.tfplan | jq -er . > plan.tfplanjson
    plugins:
      - wiz#v1.4.0:
          scan-type: 'iac'
          iac-type: 'Terraform'
          path: 'plan.tfplanjson'

Directory Scanning

Add the following to your pipeline.yml, the plugin will scan a directory.

steps:
  - label: "Scan Directory"
    command: ls .
    plugins:
      - wiz#v1.4.0:
          scan-type: 'dir'
          path: 'main.tf'

By default, path parameter will be the root of your repository, and scan all files in the local directory. To change the directory, add the following to your pipeline.yml, the plugin will scan the chosen directory.

steps:
  - label: "Scan Files in different Directory"
    command: ls my-dir
    plugins:
      - wiz#v1.4.0:
          scan-type: 'dir'
          path: 'my-dir'

Configuration

scan-type (Required, string) : `dir | docker | iac'

The type of resource to be scanned.

iac-type (Optional, string): Ansible | AzureResourceManager | Cloudformation | Dockerfile | GoogleCloudDeploymentManager | Kubernetes | Terraform

Narrow down the scan to specific type. Used when scan-type is iac.

image-address (Optional, string)

The path to image file, if the scan-type is docker.

scan-format (Optional, string): human | json | sarif

Scans output format. Defaults to: human

file-output-format (Optional, string or array): human | json | sarif | csv-zip

Generates an additional output file with the specified format.

parameter-files (Optional, string)

Comma separated list of globs of external parameter files to include while scanning e.g., variables.tf Used when scan-type is iac.

path (Optional, string)

The file or directory to scan, defaults to the root directory of repository. Used when scan-type is dir or iac.

show-secret-snippets (Optional, bool)

Enable snippets in secrets. Defaults to: false

Developing

To run the tests:

docker compose run --rm tests

Contributing

  1. Fork the repo
  2. Make the changes
  3. Run the tests
  4. Commit and push your changes
  5. Send a pull request

About

Integrates Wiz security scanning for directories, infrastructure-as-code and docker images

Topics

buildkite-plugin

Resources

Readme

License

MIT license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

4 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases 6

v1.4.0 (🦄🤳 Unicorn Selfie) Latest
Jun 19, 2024
+ 5 releases

Packages

No packages published

Languages

  • Shell 100.0%