AWS CI/CD

ZeroThreat integrates with AWS CodePipeline to help you run automated security scans during your CI/CD process. This allows you to detect vulnerabilities early and ensure that security checks are part of your build pipeline before deployment.

This guide walks you through the steps to connect your AWS pipeline with ZeroThreat using a buildspec.yml file.

Prerequisites

Before you begin:

Make sure your target is verified in ZeroThreat.
You have access to an active AWS account.
You’re familiar with the basics of AWS CodePipeline and CodeBuild.
You’re on the Professional Plan in ZeroThreat or any plan that includes CI/CD features (Your target must be associated with the plan to enable CI/CD integrations).

Step 1: Enable AWS Integration in ZeroThreat

Go to the Targets section in your ZeroThreat dashboard.
Click on the “Continuous Integration” button next to your desired target.

In the CI/CD settings drawer, enable AWS CI/CD Integration and confirm your selection.

Once confirmed, a unique ZT_TOKEN will be generated for this target. This token is used to trigger and authorize scans from your AWS pipeline.

Step 2: Choose Scan Settings

Select or create a Scan Profile suitable for your environment.

If you're scanning authenticated sections of your app, select the appropriate Login Template for authenticated scans.

Step 3: Add `buildspec.yml` to Your Project

In your project repository (connected to CodePipeline), add a file named buildspec.yml at the root. This file contains the scan logic that will be executed by AWS CodeBuild.

Use the below buildspec.yml:

Copy

version: 0.2

phases:
  install:
    runtime-versions:
      python: 3.11
    commands:
      - apt-get update && apt-get install -y curl jq

  pre_build:
    commands:
      - |
        if [ -z "$ZT_TOKEN" ]; then
          echo "ZT_TOKEN input is required but not provided."
          exit 1
        fi

  build:
    commands:
      - echo "Starting security scan..."

      - |
        response=$(curl -s -X POST https://api.zerothreat.ai/api/scan/devops \
          -H "Content-Type: application/json" \
          -d '{"token":"'"${ZT_TOKEN}"'"}')

        status=$(echo "$response" | jq -r '.status')
        code=$(echo "$response" | jq -r '.code')
        message=$(echo "$response" | jq -r '.message')
        url=$(echo "$response" | jq -r '.url')

        if [ "$status" = "200" ]; then
          echo "Scan started successfully."
          echo "Scan Report URL: $url"
        else
          echo "Failed to initiate scan"
          echo "Reason: $message"
          exit 1
        fi

        if [ "$WAIT_FOR_ANALYSIS" = "true" ]; then
          scanStatus=1
          while [ "$scanStatus" -lt 4 ]; do
            sleep 300
            response=$(curl -s -X GET "https://api.zerothreat.ai/api/scan/devops/$code")
            scanStatus=$(echo "$response" | jq -r '.scanStatus')

            if [ -z "$scanStatus" ] || [ "$scanStatus" = "null" ]; then
              echo "Scan polling failed: invalid status response."
              exit 1
            fi

            if [ "$scanStatus" -ge 4 ]; then
              echo "Scan completed successfully."
              break
            else
              echo "Scan still in progress..."
            fi
          done
        fi

artifacts:
  files:
    - "**/*"

ZT_TOKEN is used to start scan on your target. WAIT_FOR_ANALYSIS determines whether the build waits for the scan to complete. Both should be passed as environment variables (explained below).

Step 4: Set Up the AWS Pipeline

Go to AWS CodePipeline and click “Create Pipeline.”

Use Custom Pipeline, give it a name, and configure general settings as needed.

Choose and configure general pipelines settings according to your requirement.

Under Source Provider, select your code source (In our example we will use GitHub).

In the Build Stage and Create a new project.

Now inside Create build project configure project settings as you like.

Under Buildspec, choose “Use a buildspec file” and set the file name to buildspec.yml.

Go to the Environment Variables section and add:.

ZT_TOKEN – (Paste your token generated in Step 1 in ZeroThreat)
WAIT_FOR_ANALYSIS – true or false

Optionally continue configuring Test and Deploy stages as needed for your project.
Click “Create Pipeline” to finish setup.
Once your pipeline is set up, every time it is triggered, a new scan will automatically start in ZeroThreat.

Your AWS pipeline is now integrated with ZeroThreat. Every time your pipeline runs, it will trigger a security scan using the API Collection and target settings you've configured.

You can monitor scan status and view results in the Scans section of ZeroThreat.