Continuous Integrate your Security

Continuous Integrate your Security

Continuous Integration can automate your whole development workflow. Beyond the standard tasks like running automated unit tests, checking quality of the code and at the end, building your code, it can do anything you can imagine.

In the article I’ll show you how to integrate security testing into your CI. Automatic checks will find out if libraries you are using in your project are affected to the known security vulnerabilities.

Security Advisories Checker

Thanks to the new SensioLabs Security Advisories Checker it is now possible to automate security checks.

The SensioLabs security advisories checker is a simple tool, available as a web service or as an online application that uses the information from your composer.lock file to check for known security vulnerabilities.

Using the security advisories database and comparing versions of libraries you are using, automated checker can find out if you are affected. Information about your libraries are received only from the Composer dependencies file (composer.lock) so in fact the tool isn’t checking any PHP files – just the metadata of libraries.

The main advantage of operating in that way is that no additional information is being sent to SensioLabs servers – you aren’t revealing your code.

The database of checks is available on GitHub. You can already check your code against advisories for:

  • Symfony ecosystem
    • Symfony Components
    • Doctrine ORM
    • Twig templating engine
    • …other third-party bundles (like well-known FOS)
  • Zend Framework

Why we made our own CLI tool?

To integrate the checker to your CI flow you must be able to run it as a CLI tool …so we’ve made one.

One could ask Why the hell you made your own bash script if Sensio has already made their own CLI tool?!

The answer is simple: Sensio CLI tool isn’t released as a single, simple file – instead you have to download the whole structure. On the other hand, Sensio Checker CLI isn’t a standalone tool for checking your project. It’s just using CURL to send your composer.lock to checker web service.

So instead of that overhead PHP we decided to make a simple bash script which would only run curl and return adequate exit code if check failed. Thanks to that it fits great as your next step in Continous Integration workflow.

The tool is available on our GitHub –

How to integrate security checker into Continuous Integration

Now it’s really easy to add Security Advisories Checker as your next CI step!

It could be done by:

  • running it as an Ant step
  • or defining as a next build step in Jenkins

Jenkins Build Step

Go to your Jenkins Job configuration page and add our script as a build step “Execute shell” – just copy & paste bash source code from security-checker.

Security Checker - Jenkins build step configuration

Security Checker – Jenkins build step configuration

Run build…

Security Checker - Jenkins Console output

Security Checker – Jenkins Console output

If the tool finds that you are affected, the build will be marked as Failed and detailed information about security advisories will be returned.

Looking to scale-out your
web application?

Hire Octivi!

Antoni is a Software Architect and Scrum Master at Octivi. He is responsible for software architecture of our key projects, he also holds Professional Scrum Master certificate.