Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -95,15 +95,38 @@ jobs:
- uses: actions/checkout@v4

- name: Run Custom Action for Vulnerability Scan
uses: zerothreatai/github-action@0.0.3
uses: zerothreatai/github-action@0.0.6
with:
ZT_TOKEN: ${{ secrets.ZT_TOKEN }}
WAIT_FOR_ANALYSIS: true
```
::

::hint{ style="background-color:#fff4e6; color:#f97316; border:1px solid #f6d2b0;" icon="triangle-exclamation" iconClass="text-[#f97316]"}
###### Always use the latest version of the **zerothreatai/github-action**. In the example above, replace @0.0.6 with the latest available version.
::

::hint{style="background-color:#f7fcff; border:1px solid #07405a33; color:#1e6995;" icon="circle-info" iconClass="text-sky-600"}
###### Always use the latest version of the zerothreatai/github-action. In the example above, replace @0.0.3 with the latest available version.
###### **For ZeroThreat On-Prem CI/CD Integrations**

`ON_PREM_PROXY_API_URL` is an optional input required only for **ZeroThreat On-Prem** CI/CD integrations. It is empty by default and is not required for ZeroThreat Cloud users.

If you are using ZeroThreat On-Prem, enter the base URL of your deployed On-Prem instance so the GitHub Action can connect to it and scan internal targets.

::u-code
```
ON_PREM_PROXY_API_URL: <your-zerothreat-on-prem-deployed-url>
```
::

Do **not** add `/api` or any other path at the end. The URL should point to your ZeroThreat On-Prem instance, such as the proxy that routes to `localhost:3203`.

::u-code
```
Correct: https://test-proxy.com
Incorrect: https://test-proxy.com/api
```
::
::

#### Understanding `WAIT_FOR_ANALYSIS` Input:
Expand Down Expand Up @@ -166,11 +189,12 @@ This will trigger ZeroThreat scans automatically for pushes or pull requests to

## Troubleshooting

| Issue | Solution |
| --------------------------| ---------------------------------------------------------------------------------------|
| ZT\_TOKEN not recognized | Make sure in the workflow yml file the input is named as `ZT_TOKEN`. |
| Scan doesn’t trigger | Check your `on:` conditions and CI permissions. |
| Authenticated scan fails | Make sure a valid login template is selected in ZeroThreat and credentials are valid. |
| Issue | Solution |
| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ZT\_TOKEN not recognized | Make sure in the workflow yml file the input is named as `ZT_TOKEN`. |
| Scan doesn’t trigger | Check your `on:` conditions and CI permissions. |
| Authenticated scan fails | Make sure a valid login template is selected in ZeroThreat and credentials are valid. |
| On-Prem proxy URL is not reachable | If you are using ON\_PREM\_PROXY\_API\_URL, make sure the deployed On-Prem URL is accessible from GitHub Actions. It should not be restricted to only your internal network, otherwise the workflow will not be able to connect to it. |



Expand Down
74 changes: 70 additions & 4 deletions content/docs/2.manage-targets/6.ci-cd-integration/5.aws-ci-cd.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,19 +69,57 @@ phases:
pre_build:
commands:
- |
set -e

if [ -z "$ZT_TOKEN" ]; then
echo "ZT_TOKEN input is required but not provided."
exit 1
fi

ON_PREM_PROXY_API_URL="${ON_PREM_PROXY_API_URL:-}"

if [ -z "$ON_PREM_PROXY_API_URL" ]; then
API_BASE_URL="https://api.zerothreat.ai"
echo "Using ZeroThreat Cloud API."
else
API_BASE_URL="${ON_PREM_PROXY_API_URL%/}"

case "$API_BASE_URL" in
http://*|https://*) ;;
*)
echo "ON_PREM_PROXY_API_URL must start with http:// or https://"
exit 1
;;
esac

URL_WITHOUT_PROTOCOL="${API_BASE_URL#http://}"
URL_WITHOUT_PROTOCOL="${URL_WITHOUT_PROTOCOL#https://}"

case "$URL_WITHOUT_PROTOCOL" in
*/*|*\?*|*#*)
echo "ON_PREM_PROXY_API_URL must be the base URL only. Do not include /api or any other path."
echo "Example: https://test-proxy.com"
exit 1
;;
esac

echo "Using ZeroThreat On-Prem API: $API_BASE_URL"
fi

export API_BASE_URL

build:
commands:
- echo "Starting security scan..."

- |
response=$(curl -s -X POST https://api.zerothreat.ai/api/scan/devops \
set -e

payload=$(jq -n --arg token "$ZT_TOKEN" '{token: $token}')

response=$(curl -sS -X POST "$API_BASE_URL/api/scan/devops" \
-H "Content-Type: application/json" \
-d '{"token":"'"${ZT_TOKEN}"'"}')
-d "$payload")

status=$(echo "$response" | jq -r '.status')
code=$(echo "$response" | jq -r '.code')
Expand All @@ -101,7 +139,7 @@ phases:
scanStatus=1
while [ "$scanStatus" -lt 4 ]; do
sleep 300
response=$(curl -s -X GET "https://api.zerothreat.ai/api/scan/devops/$code")
response=$(curl -sS -X GET "$API_BASE_URL/api/scan/devops/$code")
scanStatus=$(echo "$response" | jq -r '.scanStatus')

if [ -z "$scanStatus" ] || [ "$scanStatus" = "null" ]; then
Expand All @@ -124,8 +162,35 @@ artifacts:
```
::

::hint{ style="bg-#f5fdf9; border: 1px solid #10b98133; color:#0a8363;" icon="circle-check" iconClass="text-[#0a8363]"}
###### **ZT_TOKEN** is used to start scan on your target. **WAIT_FOR_ANALYSIS** determines whether the build waits for the scan to complete. Both should be passed as environment variables (explained below).
::

::hint{style="background-color:#f7fcff; border:1px solid #07405a33; color:#1e6995;" icon="circle-info" iconClass="text-sky-600"}
###### **ZT_TOKEN** is used to start the scan on your target. **WAIT_FOR_ANALYSIS** determines whether the build waits for the scan to complete. Both should be passed as environment variables (explained below).
###### **For ZeroThreat On-Prem CI/CD Integrations**

`ON_PREM_PROXY_API_URL` is an optional environment variable required only for **ZeroThreat On-Prem** CI/CD integrations. It is empty by default and is not required for ZeroThreat Cloud users.

If you are using ZeroThreat On-Prem, enter the base URL of your deployed On-Prem instance so AWS CodeBuild can connect to it and trigger scans for internal targets.

::u-code
```
ON_PREM_PROXY_API_URL: <your-zerothreat-on-prem-deployed-url>
```
::

Do **not** add `/api` or any other path at the end. The URL should point to your ZeroThreat On-Prem instance, such as the proxy that routes to `localhost:3203`.

::u-code
```
Correct: https://test-proxy.com
Incorrect: https://test-proxy.com/api
```
::

If `ON_PREM_PROXY_API_URL` is left empty, the pipeline will use the default ZeroThreat Cloud API.

If you are using `ON_PREM_PROXY_API_URL`, make sure the deployed On-Prem URL is accessible from AWS CodeBuild and is not restricted to only your internal network.
::

### Step 4: Set Up the AWS Pipeline
Expand Down Expand Up @@ -168,6 +233,7 @@ artifacts:

* `ZT_TOKEN` – _(Paste your token generated in Step 1 in ZeroThreat)_
* `WAIT_FOR_ANALYSIS` – `true` or `false`&#x20;
* `ON_PREM_PROXY_API_URL` – Optional. Required only for ZeroThreat On-Prem CI/CD integrations. For ZeroThreat Cloud, leave it empty.

::fiqure-img{source="/Images/image (285).png"}
::
Expand Down
Loading