diff --git a/content/docs/2.manage-targets/6.ci-cd-integration/1.github-actions.md b/content/docs/2.manage-targets/6.ci-cd-integration/1.github-actions.md index e406f12..df73a8f 100644 --- a/content/docs/2.manage-targets/6.ci-cd-integration/1.github-actions.md +++ b/content/docs/2.manage-targets/6.ci-cd-integration/1.github-actions.md @@ -95,15 +95,38 @@ jobs: - uses: actions/checkout@v4 - name: Run Custom Action for Vulnerability Scan - uses: zerothreatai/github-action@0.0.3 + uses: zerothreatai/github-action@0.0.6 with: ZT_TOKEN: ${{ secrets.ZT_TOKEN }} WAIT_FOR_ANALYSIS: true ``` :: +::hint{ style="background-color:#fff4e6; color:#f97316; border:1px solid #f6d2b0;" icon="triangle-exclamation" iconClass="text-[#f97316]"} +###### Always use the latest version of the **zerothreatai/github-action**. In the example above, replace @0.0.6 with the latest available version. +:: + ::hint{style="background-color:#f7fcff; border:1px solid #07405a33; color:#1e6995;" icon="circle-info" iconClass="text-sky-600"} -###### Always use the latest version of the zerothreatai/github-action. In the example above, replace @0.0.3 with the latest available version. +###### **For ZeroThreat On-Prem CI/CD Integrations** + +`ON_PREM_PROXY_API_URL` is an optional input required only for **ZeroThreat On-Prem** CI/CD integrations. It is empty by default and is not required for ZeroThreat Cloud users. + +If you are using ZeroThreat On-Prem, enter the base URL of your deployed On-Prem instance so the GitHub Action can connect to it and scan internal targets. + +::u-code +``` +ON_PREM_PROXY_API_URL: +``` +:: + +Do **not** add `/api` or any other path at the end. The URL should point to your ZeroThreat On-Prem instance, such as the proxy that routes to `localhost:3203`. + +::u-code +``` +Correct: https://test-proxy.com +Incorrect: https://test-proxy.com/api +``` +:: :: #### Understanding `WAIT_FOR_ANALYSIS` Input: @@ -166,11 +189,12 @@ This will trigger ZeroThreat scans automatically for pushes or pull requests to ## Troubleshooting -| Issue | Solution | -| --------------------------| ---------------------------------------------------------------------------------------| -| ZT\_TOKEN not recognized | Make sure in the workflow yml file the input is named as `ZT_TOKEN`. | -| Scan doesn’t trigger | Check your `on:` conditions and CI permissions. | -| Authenticated scan fails | Make sure a valid login template is selected in ZeroThreat and credentials are valid. | +| Issue | Solution | +| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| ZT\_TOKEN not recognized | Make sure in the workflow yml file the input is named as `ZT_TOKEN`. | +| Scan doesn’t trigger | Check your `on:` conditions and CI permissions. | +| Authenticated scan fails | Make sure a valid login template is selected in ZeroThreat and credentials are valid. | +| On-Prem proxy URL is not reachable | If you are using ON\_PREM\_PROXY\_API\_URL, make sure the deployed On-Prem URL is accessible from GitHub Actions. It should not be restricted to only your internal network, otherwise the workflow will not be able to connect to it. | diff --git a/content/docs/2.manage-targets/6.ci-cd-integration/5.aws-ci-cd.md b/content/docs/2.manage-targets/6.ci-cd-integration/5.aws-ci-cd.md index 55525df..ea172c1 100644 --- a/content/docs/2.manage-targets/6.ci-cd-integration/5.aws-ci-cd.md +++ b/content/docs/2.manage-targets/6.ci-cd-integration/5.aws-ci-cd.md @@ -69,19 +69,57 @@ phases: pre_build: commands: - | + set -e + if [ -z "$ZT_TOKEN" ]; then echo "ZT_TOKEN input is required but not provided." exit 1 fi + ON_PREM_PROXY_API_URL="${ON_PREM_PROXY_API_URL:-}" + + if [ -z "$ON_PREM_PROXY_API_URL" ]; then + API_BASE_URL="https://api.zerothreat.ai" + echo "Using ZeroThreat Cloud API." + else + API_BASE_URL="${ON_PREM_PROXY_API_URL%/}" + + case "$API_BASE_URL" in + http://*|https://*) ;; + *) + echo "ON_PREM_PROXY_API_URL must start with http:// or https://" + exit 1 + ;; + esac + + URL_WITHOUT_PROTOCOL="${API_BASE_URL#http://}" + URL_WITHOUT_PROTOCOL="${URL_WITHOUT_PROTOCOL#https://}" + + case "$URL_WITHOUT_PROTOCOL" in + */*|*\?*|*#*) + echo "ON_PREM_PROXY_API_URL must be the base URL only. Do not include /api or any other path." + echo "Example: https://test-proxy.com" + exit 1 + ;; + esac + + echo "Using ZeroThreat On-Prem API: $API_BASE_URL" + fi + + export API_BASE_URL + build: commands: - echo "Starting security scan..." - | - response=$(curl -s -X POST https://api.zerothreat.ai/api/scan/devops \ + set -e + + payload=$(jq -n --arg token "$ZT_TOKEN" '{token: $token}') + + response=$(curl -sS -X POST "$API_BASE_URL/api/scan/devops" \ -H "Content-Type: application/json" \ - -d '{"token":"'"${ZT_TOKEN}"'"}') + -d "$payload") status=$(echo "$response" | jq -r '.status') code=$(echo "$response" | jq -r '.code') @@ -101,7 +139,7 @@ phases: scanStatus=1 while [ "$scanStatus" -lt 4 ]; do sleep 300 - response=$(curl -s -X GET "https://api.zerothreat.ai/api/scan/devops/$code") + response=$(curl -sS -X GET "$API_BASE_URL/api/scan/devops/$code") scanStatus=$(echo "$response" | jq -r '.scanStatus') if [ -z "$scanStatus" ] || [ "$scanStatus" = "null" ]; then @@ -124,8 +162,35 @@ artifacts: ``` :: +::hint{ style="bg-#f5fdf9; border: 1px solid #10b98133; color:#0a8363;" icon="circle-check" iconClass="text-[#0a8363]"} +###### **ZT_TOKEN** is used to start scan on your target. **WAIT_FOR_ANALYSIS** determines whether the build waits for the scan to complete. Both should be passed as environment variables (explained below). +:: + ::hint{style="background-color:#f7fcff; border:1px solid #07405a33; color:#1e6995;" icon="circle-info" iconClass="text-sky-600"} -###### **ZT_TOKEN** is used to start the scan on your target. **WAIT_FOR_ANALYSIS** determines whether the build waits for the scan to complete. Both should be passed as environment variables (explained below). +###### **For ZeroThreat On-Prem CI/CD Integrations** + +`ON_PREM_PROXY_API_URL` is an optional environment variable required only for **ZeroThreat On-Prem** CI/CD integrations. It is empty by default and is not required for ZeroThreat Cloud users. + +If you are using ZeroThreat On-Prem, enter the base URL of your deployed On-Prem instance so AWS CodeBuild can connect to it and trigger scans for internal targets. + +::u-code +``` +ON_PREM_PROXY_API_URL: +``` +:: + +Do **not** add `/api` or any other path at the end. The URL should point to your ZeroThreat On-Prem instance, such as the proxy that routes to `localhost:3203`. + +::u-code +``` +Correct: https://test-proxy.com +Incorrect: https://test-proxy.com/api +``` +:: + +If `ON_PREM_PROXY_API_URL` is left empty, the pipeline will use the default ZeroThreat Cloud API. + +If you are using `ON_PREM_PROXY_API_URL`, make sure the deployed On-Prem URL is accessible from AWS CodeBuild and is not restricted to only your internal network. :: ### Step 4: Set Up the AWS Pipeline @@ -168,6 +233,7 @@ artifacts: * `ZT_TOKEN` – _(Paste your token generated in Step 1 in ZeroThreat)_ * `WAIT_FOR_ANALYSIS` – `true` or `false` +* `ON_PREM_PROXY_API_URL` – Optional. Required only for ZeroThreat On-Prem CI/CD integrations. For ZeroThreat Cloud, leave it empty. ::fiqure-img{source="/Images/image (285).png"} ::