Skip to main content
This document provides the configuration for setting up a CI/CD pipeline in Bamboo.

Bamboo Configuration

This example demonstrates how to set up a Bamboo plan that runs both SCA and SAST scans using Docker images hosted in Azure Container Registry (ACR). The configuration includes authentication to the ACR, pulling the scanner images, and executing the scans.
  1. Define a Bamboo Plan with a Scan Job
  • Create a Bamboo Plan and Stage with a Job that to run the security scan.
  1. Add Source Code Checkout task
  • Add a Source Code Checkout task to check out the code from your repository. This is necessary for the scanner to access the source code.
  1. Add Script task.
  2. In the Script body field, paste the following code into your script.
- |-
echo "Authenticating with registry..."
docker login -u ${bamboo.SLS_CLIENT_ID} -p ${bamboo.SLS_CLIENT_SECRET} tauruseer.azurecr.io
echo "Pulling SCA Scanner Image..."
docker pull tauruseer.azurecr.io/sca-scanner-pipeline:latest
docker run --rm -v $(pwd):/source tauruseer.azurecr.io/sca-scanner-pipeline:latest --scan-key=${bamboo.SLS_SCAN_KEY}
echo "Pulling SAST Scanner Image..."
docker pull tauruseer.azurecr.io/sast-scanner-pipeline:latest
echo "Running SAST Scan..."
docker run --rm -v $(pwd):/source tauruseer.azurecr.io/sast-scanner-pipeline:latest --scan-key=${bamboo.SLS_SCAN_KEY} --secrets=true
  1. Save the configuration.
  2. Run the Pipeline
  • Trigger a build in Bamboo to run the pipeline.
  • Check the logs to ensure the scan completes successfully.

Explanation of the Configuration

  1. Docker Login
    • Uses docker login to authenticate with a private registry.
  2. Pull the Image
    • Fetches the latest version of sls-scanner from the container registry.
  3. Run the SLS Scanner
    • Mounts the source code into the container.
    • Executes the scan.
    • The scan key for the asset (repo) is passed as an argument to the scanner.
    • —secrets=true is used to enable secret scanning in the SAST scanner.
    • Upon completion, uploads only the results into the SLS platform and destroys the container.
  4. Environment Variables - The following must be added to the plan configuration as environment variables:
    • SLS_CLIENT_ID , SLS_CLIENT_SECRET - used to authenticate to Azure Container Registry and provided by SLS.
    • SLS_SCAN_KEY - Can be found under Product Data Sources -> Start Left Scanner -> Scan Key (It is also available on the Asset details page.) The job will pass the SLS_SCAN_KEY to the scanner as an environment variable adn is used to identify the asset being scanned.

Example Bamboo YAML Configuration

Following is an example Bamboo YAML Configuration if you are using Bamboo YAML Specs. This configuration creates a pipeline that runs both SCA and SAST scans. 
---
version: 2
plan:
  project-key: SLS
  key: SSP
  name: SLS Scan Pipeline
stages:
- Default Stage:
    manual: false
    final: false
    jobs:
    - Default Job
Default Job:
  key: JOB1
  tasks:
  - checkout:
      force-clean-build: false
  - script:
      interpreter: SHELL
      scripts:
      - |-
        echo "Authenticating with registry..."
        docker login -u ${bamboo.SLS_CLIENT_ID} -p ${bamboo.SLS_CLIENT_SECRET} tauruseer.azurecr.io
        echo "Pulling SCA Scanner Image..."
        docker pull tauruseer.azurecr.io/sca-scanner-pipeline:latest
        docker run --rm -v $(pwd):/source tauruseer.azurecr.io/sca-scanner-pipeline:latest --scan-key=${bamboo.SLS_SCAN_KEY}
        echo "Pulling SAST Scanner Image..."
        docker pull tauruseer.azurecr.io/sast-scanner-pipeline:latest
        echo "Running SAST Scan..."
        docker run --rm -v $(pwd):/source tauruseer.azurecr.io/sast-scanner-pipeline:latest --scan-key=${bamboo.SLS_SCAN_KEY} --secrets=true
      description: SLS SCAN