It’s finally here! The integration between Travis and Kiuwan. In this post I’ll give you all the details you need to try it yourself!
Be sure to make a Kiuwan account. Then set your
environment variables in your
.travis.yml, using either the Travis GUI or CLI, if you’re going to use the CLI run:
travis encrypt kiuwan_user="" travis encrypt kiuwan_password=""
If the route you choose is by the Travis GUI, just name the
env vars the following:
In Travis, I told Travis to fetch the Local Analyzer, then went through Kiuwan’s LA’s documentation to make a command that checks the project. This project in particular is in TypeScript, below I’ll share the .travis.yml file I’ve created:
language: java install: skip script: - echo $TRAVIS_BUILD_DIR - export APPNAME=$(basename $TRAVIS_BUILD_DIR) - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi) - echo "Fetching Kiuwan Local Analyzer" - wget -v https://www.kiuwan.com/pub/analyzer/KiuwanLocalAnalyzer.zip - unzip KiuwanLocalAnalyzer.zip -d $HOME/. - $HOME/KiuwanLocalAnalyzer/bin/agent.sh --user $kiuwan_user --pass $kiuwan_password -s $TRAVIS_BUILD_DIR -n $APPNAME -l $TRAVIS_BUILD_ID -c
This then sends this to Kiuwan, and from there I can access more insights about my project. In this project in particular I made this have a few vulnerabilities so Kiuwan would catch them. I also used environment variables from my account I registered from the Jelly service.
Invokation of Kiuwan
You can run the conditionals that fit your scanning needs, I recommend reading Kiuwan Local Analyzer CLI - Command Line Interface for a frame of reference. Some of the conditionals you can add in your
.travis.yml that are different than mine are as follows:
-s, --sourcePath Directory with code to analyze -n, --softwareName Name of the target application -c, --create Create software at kiuwan service if not exists -l, --label Label for the analysis -m, --model-name
Kiuwan Local Analyzer
You’ll then notice output of the Local Analyzer working, and remember you can select VM size as well - this will affect (in my case) how deep the scan will go, in this particular use case though I just used baseline. Kiuwan will calculate the heap size, and collect the bill of materials (TypeScript, other dependencies):
You should then get an email by the Jelly service. You then can scan your project on a more granular level. Here’s the test project I created. Below you’ll see a screenshot of the Jelly service email I received after a successful scan:
Then you’ll click the link within the email, and you’ll get to explore around the Kiuwan GUI:
You then can check your project out on a more granular security level. With Kiuwan you’re that much more secure when deploying code with Travis.
As always, if you have any questions please email me at firstname.lastname@example.org.