Skip to main content
McAfee MVISION Cloud

Integrate Shift Left Inline APIs with Bitbucket and AWS CI/CD Services

Shift Left Inline Integration

MVISION Cloud provides a security solution to evaluate the DevOps templates in both offline and inline mode. Using inline mode, you can integrate the repository and CI/CD tools with Shift Left inline APIs, and MVISION Cloud evaluates the security vulnerabilities present in the DevOps template file.

MVISION Cloud supports evaluating DevOps templates for AWS and Azure including Terraform support. You can also integrate Shift Left with Bitbucket's CI/CD tool and Bitbucket pipelines.

Atlassian Native CI/CD Tools Integration

Prerequisite

Before integration, make sure you have met the following prerequisite:

Configure Bitbucket Pipelines

Perform the following steps to set up Bitbucket pipelines integration with Shift Left inline APIs.

  1. Create a file named bitbucket-pipelines.yml in the repo's root directory and add the following content.

To evaluate only the changed files use the script below

# This is a sample build configuration for Docker.
# Check our guides at https://confluence.atlassian.com/x/O1toN for more examples.
# Only use spaces to indent your .yml configuration.
# -----
# You can specify a custom docker image from Docker Hub as your build environment.
image: atlassian/default-image:2
 
pipelines:
  default:
    - step:
        name: "Shift Left Integration with Bitbucket"
        script:
            - git log HEAD -1 --name-only --pretty="format:" > changes.txt
            - cat changes.txt | { egrep -i '.json|.tf|.yml|.yaml' || true; } > changes_latest.txt
            - if test "$( wc -l < changes_latest.txt )" -gt 0; then
            - data=$(cat changes_latest.txt | while read line; do echo $line; done)
            - data=$(echo $data  | tr ' ' ',')
            - pipe: mcafeemvision/shift-left-atlassian-pipe:1.1.0
            variables:
                MVISION_USERNAME: $MVISION_USERNAME
                MVISION_PASSWORD: $MVISION_PASSWORD
                MVISION_ENVIRONMENT: $MVISION_ENVIRONMENT
                CLOUD_SERVICE_PROVIDER: $CLOUD_SERVICE_PROVIDER
                FILES: $data
                WORKSPACE: $BITBUCKET_WORKSPACE
                SLUG: $BITBUCKET_REPO_SLUG
                COMMIT_ID: $BITBUCKET_COMMIT
            - fi

To evaluate all the files every time a build is triggered, use below

# This is a sample build configuration for Docker.
# Check our guides at https://confluence.atlassian.com/x/O1toN for more examples.
# Only use spaces to indent your .yml configuration.
# -----
# You can specify a custom docker image from Docker Hub as your build environment.
image: atlassian/default-image:2
 
pipelines:
  default:
    - step:
        name: "Shift Left Integration with Bitbucket"
        script:
            - find ./ -type f \( -iname \*.yaml -o -iname \*.yml -o -iname \*.tf -o -iname \*.json\) > changes.txt
            - if test "$( wc -l < changes.txt )" -gt 0; then
            - data=$(cat changes.txt | while read line; do echo $line; done)
            - data=$(echo $data  | tr ' ' ',')
            - pipe: mcafeemvision/shift-left-atlassian-pipe:1.1.0
            variables:
                MVISION_USERNAME: $MVISION_USERNAME
                MVISION_PASSWORD: $MVISION_PASSWORD
                MVISION_ENVIRONMENT: $MVISION_ENVIRONMENT
                CLOUD_SERVICE_PROVIDER: $CLOUD_SERVICE_PROVIDER
                FILES: $data
                WORKSPACE: $BITBUCKET_WORKSPACE
                SLUG: $BITBUCKET_REPO_SLUG
                COMMIT_ID: $BITBUCKET_COMMIT
            - fi
  1. Commit and push the bitbucket-pipelines.yml file.
  2. Go to Settings > Repository variables. You are redirected to the Repository variables page.
    clipboard_eb6b1f287c63d790126647bdcb27b8e57.png
  3. Add the following variables and values in the repository variable page:
    • Add Name as CLOUD_SERVICE_PROVIDER and Value as aws (in case of evaluating AWS DevOps templates) or azure (in case of evaluating Azure resource manager templates).
    • Add Name as MVISION_USERNAME and Value as the username of MVISION Cloud and select the secured checkbox.
    • Add Name as MVISION_PASSWORD and Value as the password of MVISION Cloud and select the secured checkbox.
    • Add Name as MVISION_ENVIRONMENT and Value as the environment URL (https://www.myshn.net) of MVISION Cloud.
  4. Enable pipelines.

The Bitbucket pipeline integration with MVISION Cloud Shift Left inline API is complete.

Any push to the Bitbucket repo will trigger a build in pipelines, which calls the Shift Left inline APIs to check for vulnerabilities present in the DevOps template committed in Bitbucket.

Shift Left Inline Integration with AWS CodeCommit and CodeBuild

Perform the following steps to integrate AWS CI/CD tools with Shift left inline:

  1. Go to AWS CloudFormation page and select Create stack > With new resources (standard).
    clipboard_e3ef618030c6cebf0f1dc31d6f35fd7fd.png

NOTE: You can skip steps 1 to 6 if you already have an AWS setup.

  1. Upload the shift-left-aws-mvision.yaml cloud formation and click Next.
    clipboard_e6d3c12f5a82865c7705d698bf8ecce67.png
  2. Enter the stack name and click Next.
    The Configure stack options page opens.
  3. Click Next.
  4. In the review page, select the checkbox I acknowledge that AWS CloudFormation might create IAM resources with custom names and click Create Stack.
  5. Make sure the stack creation is complete with status CREATE_COMPLETE.
  6. Navigate to the CodeBuild, select build-shift-left-integration. Click Edit and select the Environment. In the Edit Environment pageselect Additional Configuration and add environment as shown below.

  1. Download the buildspec.yml.
  2. Go to the AWS CodeCommit page, and select the repo shift-left-repo. Under the repo, select Add file > Upload file and upload the file downloaded in
    Step 7. Provide Author Name, Email address, and click Commit changes.
  3. Once the file is committed, go to the AWS Systems Manager. Select the Parameter Store from the left menu.
  4. Click Create parameter and you will be navigated to the Parameter details page.
  5. Populate the following values and make sure the parameters are created in the same region as the repository and code build.
    • Name with /codebuild/mvision_username and enter the MVISION Cloud username and click Create Parameter.
    • Name with /codebuild/mvision_password and enter the MVISION Cloud password and click Create Parameter.
      clipboard_e38872b198bb7c9a83510d865b4214a54.png
  6. Navigate to the AWS Lambda page, and select the lambda function invoke-code-build-<<account_id>>.
    You will be navigated to the lambda function.
  7. Go to the Configuration tab and click Add trigger.
    clipboard_e40d221bba257fbf06750204ef106b51e.png
  8. Add the following trigger configuration:
    • Select a trigger as CodeCommit.
    • Select the Repository name as shift-left-repo.
    • Provide a name for the trigger in the Trigger name textbox.
    • Select the Events as Push to existing branch.
    • Select the Branch names as master and click Add.
      clipboard_edf40cf978561b44c81d1d818090bf896.png
  9. The CodeCommit trigger is added to the lambda.
    clipboard_e5be0d5c784a1a64a6efa8ab8d8482307.png

The CodeCommit and CodeBuild integration with MVISION Cloud Shift Left inline API is complete.

Any push to the CodeCommit repo will trigger a build in CodeBuild, which calls the Shift Left inline APIs to check for vulnerabilities present in the DevOps template committed in CodeCommit.

  • Was this article helpful?