#aws codebuild vaddy tech

At last week’s AWS re:Invent 2016 conference, Amazon announced its new “fully managed build service that compiles source code, runs tests, and produces software packages that are ready to deploy”: AWS CodeBuild. In this blog post, I’d like to explain how you can start scanning for security vulnerabilities with VAddy and AWS CodeBuild today.

Step 1: Create a (GitHub) repository to build

Let’s get started by setting up a GitHub repository that we can use to run a test build. Create a new repository and then add a new file named buildspec.yml in the root (top level) directory. Once committed, the file should contain the following YAML data:

AWS CodeBuild will follow this build specification to download VAddy’s command-line tool and run a vulnerability scan during the post-build phase.

version: 0.1 phases: install: commands: - echo Nothing to do in the install phase... pre_build: commands: - echo Nothing to do in the pre_build phase... build: commands: - echo Nothing to do in the build phase... post_build: commands: - git clone https://github.com/vaddy/go-vaddy.git govaddy ; govaddy/bin/vaddy-linux-64bit - echo Build completed on `date`

Step 2: Create a CodeBuild project for testing

Next, let’s sign in to the AWS Management Console and choose one of the three regions that support AWS CodeBuild (as of December 8, 2016):

US East (N. Virginia)

US West (Oregon)

EU (Ireland)

Click Create project. Under Source: What to build, choose GitHub as the Source provider. Once you have connected CodeBuild to your GitHub account, choose the repository that you just created above from the Repository drop-down list.

For Build specification, leave Use the buildspec.yml in the source code root directory selected.

If you attempt to run the build now, you should encounter an error because you haven’t provided a username and API token to VAddy’s command-line tool. Let’s fix that now.

Step 3: Use VAddy to scan for vulnerabilities when your build has completed

Here you are going to use environment variables to configure the authentication credentials that you need to run vulnerability scans via VAddy’s web API.

Near the bottom of your CodeBuild project’s configuration screen, there should be a Show Advanced Settings menu item. Select it, and then add values for the following three environment variables (as shown in the screenshot below):

VADDY_TOKEN

VADDY_USER

VADDY_HOST

If you run the build and no vulnerabilities are found, every phase should indicate that it has completed successfully:

Step 4: Check your build logs for vulnerabilities

If VAddy’s command-line tool detects any vulnerabilities, it will exit with an error code and cause the build to fail:

Conclusion

Because AWS CodeBuild was just announced last week, it doesn’t yet provide more fine-grained controls—such as the ability to specify a particular branch in your Git repository—but I would expect these and other use cases to be addressed soon in upcoming updates.

We currently maintain a Jenkins installation on an EC2 instance that is always running as part of our development environment for VAddy, but going forward I’d like to consider running builds on demand with AWS CloudBuild, instead, and possibly save some money on our monthly EC2 bills.