It’s easy to combine VAddy with CircleCI to set up an environment for continuous security tests. Just run git push to start a CircleCI job, deploy your code to your test server, and then test for web security vulnerabilities with VAddy.
In this article, we will explain the following procedure:
- git push
- Run unit tests
- Deploy code to staging
- Run VAddy tests
- Deploy code to production
If the unit tests fail, the following steps in the process are skipped. Likewise, if VAddy’s tests fail, code will not be deployed to production. By regularly running unit tests and scanning your web application for vulnerabilities, you can prevent buggy code from being deployed to production.
Because VAddy sends HTTP requests over the Internet when it scans for vulnerabilities, your test server must allow external connections. (If you have already set up a staging server, you should be able to use that.)
Unfortunately, CircleCI instances do not allow external access and thus do not constitute a complete testing setup—yet. This would be very convenient and will consequently be supported in the future.
Register the server that you would like VAddy to test. You will be issued a Web API key once VAddy is ready to scan your server. For more details on issuing web API keys, see the VAddy Quickstart Guide.
From CircleCI’s Project Settings screen, register VAddy’s API keys and other environment variables.
Specifically, register the following three environment variables.
- VADDY_TOKEN: Your web API key.
- VADDY_HOST: The fully qualified domain name (FQDN) of the server that you have registered with VAddy for testing.
- VADDY_USER: Your VAddy login ID.
Prepare a circle.yml file for your project. We have provided a Gist with a sample YAML file.
test: override: - ./test.sh deployment: staging: branch: master commands: - ./deploy.sh - git clone email@example.com:vaddy/vaddy-api-ruby.git && rvm use 2.1.0 && cd ./vaddy-api-ruby/ && ruby vaddy.rb - ./deploy2.sh
In the sample file above, the test section runs the unit tests. The deployment section—through the staging subsection—first deploys code to staging with deploy.sh, then sets up VAddy’s (Ruby) client tool with git clone, and finally starts testing. If none of the tests fail, deploy2.sh will be run.
Define test.sh, deploy.sh, and deploy2.sh as appropriate for your project.
Because VAddy’s client tool targets Ruby 2.0 and above,
rvm is used to switch the Ruby environment.
Run git push. If none of VAddy’s tests fail, processing will continue and deploy2.sh will be run.
If VAddy finds even a single vulnerability, processing will stop and
deploy2.sh will not be run.
As we have shown in this article, it’s easy to integrate with VAddy using its (Ruby) client. Though we already released a VAddy Jenkins plugin, we also implemented a Ruby tool that uses the VAddy API to support CircleCI and other recent continuous integration service providers.
We have released VAddy’s client tool under an open-source license, so you should be able to use it with services other than CircleCI.
We have also published our Web API specifications, allowing you to build your own client tools for your projects.
VAddy is a service that works together with your CI tools to implement continuous security tests. We invite you to take it for a spin; our free plan doesn’t even limit the number of tests you can run!