Docker

Cohesion can be directly integrated into your docker build scripts and docker orchestration deployments.

Docker Compose

Docker Compose is a nice orchestration layer that can be used locally and as part of the CI pipeline. Web security tests can be provided in a separate container where Cohesion is installed and run against the application in a safe manner.

Let's get started by defining a docker compose yaml for testing. In this example the file is called "docker-compose.cohesion.yml" and it looks like this:

cohesion:
  build: .
  dockerfile: Dockerfile.cohesion
  links:
    - web
web:
  build: .
  dockerfile: Dockerfile
  links:
    - redis
redis:
  image: redis

The main "Dockerfile" is our core application/service. The file "Dockerfile.cohesion" is where we are going to define our security testing phase which could look like the following code listing:

FROM secapps/cohesion:latest

CMD ["cohesion", "scanner", "--exit='>=7'", "--exit-code=666", "--wait=web", "-vvv", "web"]

Notice that we are using both "--exit" and "--wait" command line options to configure Cohesion to exit as soon as a critical vulnerability is detected and to wait for the application to stat before starting the tests. The "-vvv" flags will also help by providing the most verbose output for debugging purposes.

Now, let's build the solution:

$ docker-compose -f ./docker-compose.cohesion.yml -p ci build

...and start a fresh testing environment with the following command:

$ docker-compose -f ./docker-compose.test.yml -p ci up -d

To see how our testing phase is doing we need to inspect the logs of the Cohesion container.

$ docker logs -f ci_cohesion_1

To inspect the exit code to check that all security tests have passed:

$ docker wait ci_cohesion_1

Docker Build

While this approach is unusual, it is possible to integrate Cohesion as a build step in your Dockerfile builds. You must use the "--exit" option to make Cohesion effective and fail the build if serious vulnerabilities are encountered. Additionally, the service must be standup when performing dynamic application assessments. This step is optional if cohesion is integrated directly as a library.

Consider the following Dockerfile as an example:

FROM baseimage

# Install Node

RUN apt-get install --yes curl
RUN curl --silent --location https://deb.nodesource.com/setup_9.x | sudo bash -
RUN apt-get install --yes nodejs
RUN apt-get install --yes build-essential

# Install Cohesion

RUN npm install @secapps/cohesion@latest -g

# Standup application

RUN ./run.sh

# Run Cohesion

RUN cohesion scanner --exit=">=7" http://localhost:8080

# Cleanup

# Setup entrypoint

ENTRYPOINT ["./run.sh"]