It’s easy to combine VAddy with Codeship to set up an environment for continuous security tests. Just run git push to start a Codeship job, deploy your code to your test server, and then test for web security vulnerabilities with VAddy.
In this article, we will explain the following procedure:
- git push
- Run unit tests
- Deploy code to staging
- Run VAddy tests
- Deploy code to production
If the unit tests fail, the following steps in the process are skipped. Likewise, if VAddy’s tests fail, code will not be deployed to production. By regularly running unit tests and scanning your web application for vulnerabilities, you can prevent buggy code from being deployed to production.
Because VAddy sends HTTP requests over the Internet when it scans for vulnerabilities, your test server must allow external connections. (If you have already set up a staging server, you should be able to use that.)
Unfortunately, Codeship instances do not allow external access and thus do not constitute a complete testing setup—yet. This would be very convenient and will consequently be supported in the future.
Register the server that you would like VAddy to test. You will be issued a Web API key once VAddy is ready to scan your server.
Register VAddy’s API keys and other environment variables from the Environment section of Codeship’s Project Settings screen.
Specifically, register the following three environment variables.
- VADDY_TOKEN: Your web API key.
- VADDY_HOST: The fully qualified domain name (FQDN) of the server that you have registered with VAddy for testing.
- VADDY_USER: Your VAddy login ID.
Add a new test pipeline with the following commands from the Test section of Codeship’s Project Settings screen.
./unit-test.sh ./deploy-staging.sh git clone https://github.com/vaddy/go-vaddy.git
cd ./go-vaddy/bin/ && ./vaddy-linux-64bit ./deploy-production.sh
The test pipeline above runs unit tests with unit-test.sh, deploys code to staging with deploy-staging.sh, sets up VAddy’s Ruby client tool with git clone, runs a VAddy scan with vaddy.rb, and finally—if all of the tests pass—deploys code to production with deploy-production.sh.
Define unit-test.sh, deploy-staging.sh, and deploy-production.sh as appropriate for your project. Though the test pipeline above deploys code to production with its own shell script (deploy-production.sh), you may find Codeship’s deployment pipelines more convenient to use.
Run git push. If none of VAddy’s tests fail, processing will continue and deploy-production.sh will be run.
If VAddy finds even a single vulnerability, processing will stop and deploy-production.sh will not be run.
Simple Chat Integrations
The Notification section of Codeship’s Project Settings screen shows a list of integrations with other services. Both Hipchat and Slack have very helpful integrations; we’re going to briefly explain how to use Hipchat’s here.
Enable the Hipchat integration with your Hipchat notification token and room name, then push code to your repository. If VAddy discovers a vulnerability while scanning your application, the Codeship tests will fail and your HipChat room will receive a notification with the error. Once you’ve resolved the problem and re-run the tests, your Hipchat room will receive a notification indicating that the tests passed successfully.
We have also published our Web API specifications, allowing you to build your own client tools for your projects.