Build System or Bust and Wrapping Security Tools Using Docker

As we continue to work with early adopters to deploy Chalk, and onboard users onto the free tier of our commercial platform, it has been reinforced to us time and time again, that if you're deploying appsec tools today, it's ‘build system or bust’.

“We add all tools as Github actions”’ and “we need to be able to validate any security checks before a PR is accepted” are normal non-negotiable requirements. There is no doubt to us that CI/CD, has become the appsec assessment equivalent of the security checkpoint pattern, and validating the security quality of software at the checkpoint, is now the only game in town.

But we have also come to learn that the most important requirement that drives adoption across an enterprise is also about the build system. We typically hear something like “we have to be able to deploy across all of the pipelines without the developers having to do anything”. That’s a high bar, but today, repo by repo code scanning, or parallel security checks on a branch, are no longer considered viable options. It’s a case of having to be inline through the checkpoint, and doing it without the developer having to change anything.

We have been utilizing a neat little trick in Chalk, and have done the work to enable you to spin up any tool you want for every Docker build that happens on a build server, and all without the developer having to make any changes whatsoever. It really is neat. 

When you install Chalk on your Docker based build systems, we recommend putting it in the same directory where your Docker executable is, though anywhere in the default PATH is fine. You could of course deploy Chalk and ask everyone to run it by invoking Chalk before their Docker commands, but that's easy to forget. It's really better to automatically call Chalk when invoking Docker and that is the neat trick. 

You do it with a global alias. Your build systems will have a global file for bash configuration, which, these days, is almost always /etc/bash.bashrc (but if it's not there, then it should be at/etc/bashrc).

This file runs when any bash shell starts. All you need to add to this file is:

alias docker=chalk

With that, Chalk will now run each time you call Docker. The way we've configured Chalk when it doesn't see any of its own commands, is to use the Chalk Docker command.

We always run the Docker command intended by the user, but we also collect and report on environmental info using Chalk. 

In your Chalk config you can use run_sbom_tools and run_sast-tools to automatically run Syft and Semgrep with every build to generate an SBOM and run a SAST scan. We chose Syft for SBOMs and Semgrep for SAST, because we think they are best of breed open-source tools, but you can apply the same technique to run any tools, and here is where we need some help.  

What should we wrap next, so that you can use Chalk to run all of your appsec tools, on every Docker build, across all of your build pipelines, without having to ask the developer to do anything? 

Suggestions in the comments on LinkedIn will be very welcome.

https://www.linkedin.com/feed/update/urn:li:activity:7129776766633562112/