Editors note: This is a guest blog post from WhiteSource Software, with whom we recorded a live webinar with on DevOps.com. Scroll to the bottom of this post to view the webinar recording.
Open source components have become a basic building block in today’s software development process. It’s no surprise that 60%-80% of the codebase in 92% of modern applications is open source — they provide us with tried-and-true code that allows us to save time and focus on creating the secret sauce that will make our products the next great tech innovation.
While open source components help speed up the development process, they also introduce a number of challenges to security and compliance, that can’t be handled with the processes and tools we traditionally use for proprietary code. Open source management requires its own set of security and compliance methods.
Many see security as an obstacle to the increasingly swift pace of the DevOps pipeline. However, managing open source usage can be easily integrated into the CI/CD workflow. This is where WhiteSource comes in, providing an automated tool that helps developers stay on top of their open source components within their Codefresh environment. The WhiteSource integration for Codefresh enables continuous security and management of your applications’ dependencies and Docker images without having to sacrifice speed or quality.
How the WhiteSource Step Works
The WhiteSource step is based on an open-jdk image and begins by running an install-commands file. This file contains the commands which install the package managers, and any other dependencies required for the Unified Agent (WhiteSource’s scanning agent) to run smoothly and error-free. The WhiteSource step is very lightweight thanks to the combination of the open-jdk image base and the customizable install-commands file.
After the groundwork is set, the Unified Agent begins scanning, to detect and report on any vulnerabilities in your open source code. If you want to prevent vulnerabilities from entering your codebase, you can configure the WhiteSource step to fail your build whenever vulnerabilities are detected, alerting you and helping you maintain a secure environment.
The results of the scan can be viewed in the WhiteSource UI, including your project’s open source dependencies, vulnerabilities, licensing information, and much more.
Adding the WhiteSource Step in your Codefresh Pipelines
- From within your Codefresh pipeline, view the marketplace by clicking Steps on the right side of your screen.
- In the search box, enter WhiteSource and click on the WhiteSource step displayed in the marketplace.
- After clicking on the WhiteSource step, a pop-up containing the step’s YAML will be displayed.
From the bottom of the pop-up, click INSERT STEP to insert the step’s YAML into your pipeline.*Alternatively, you can click COPY STEP
- Populate the variables with your organization’s relevant data:
INSTALL_COMMANDS: The path to the ‘install-commands.sh’ file – the file containing the package manager and other dependency installation commands.
CONFIG_FILE: The WhiteSource Unified Agent configuration file.
PROJECT_DIRECTORY: A comma-delimited list of directories and/or files to scan.
API_KEY: A unique identifier of your WhiteSource organization.
And voila! WhiteSource will now scan your open-source as a part of your CI/CD pipeline.
Want to see how it works live? Check out our joint Webinar, Tackling the Container Iceberg: How to Approach Open Source Security in Containers.