You can do this in four simple steps.
Note; Typically these steps are performed by a DevOps or a developer.
- Step 1: Add a new app in the Sken portal
- Step 2: Write
- Step 3: Setup Sken CLI in your terminal
- Step 3: Check scan findings and report in the Sken portal
Step 1: Add a new app in Sken.ai portal
Login to the Sken portal. Add a new app in your default organization.
Click on New Application. The New Application page opens.
In Application Name, write the name of the new app. Click on Next. (Please see Add new app for detailed steps.)
The App Setup page opens where you can see the Org ID and App ID of this new app. Copy the Org ID and the App ID to use it in step 2 below.
Note: You can skip the App settings steps if you want to quickly see how Sken works for minimum results. If you define these settings such as risk factors criteria for the app, the findings and scan reports are more accurate and comprehensive. (For more details and advanced settings, see Add new app.)
Step 2: Write sken.yaml
Check-in or add this
sken.yaml file into the root folder of your source code.
To quickly see how Sken works, we keep this configuration very simple. You can always add advanced settings for sken.yaml to handle more complex configurations.
Use the Org ID and App ID from step 1 here.
Sken automatically detects your languages and runs the appropriate scans. It would automatically scan SAST, SCA, and Secrets in this test run.
Step 3: To run Sken CLI
Note: If you are running in a virtual python environment, you may need to
> pip install wheel.
Install and Upgrade Sken CLI
To install Sken CLI, run
> pip install skencli from the command line
To upgrade Sken CLI, run
> pip install --upgrade skencli from the command line
Run Sken CLI
In the terminal, go to the root folder of the source code (or you can also use a -path param for
skencli to run it.
If you follow the output from sken CLI, you can see that it selects different types of scanners, creates docker images for those scanners, runs the scans in these docker images, outputs the results to a file, and then uploads the results file to your sken cloud.
Related article: This is a getting started article to help you with the quick steps for your first app scan. Please see Advanced Settings: Set up Sken CLI and Sken.yaml for more details on backend configuration and advanced settings.
Step 4: Check scan findings and report in the Sken portal
Check the Sken portal. Select the organization and the app that you just scanned for the test run. A list of apps appears if you have added multiple apps for any reason.
Click on the target app that you had just set up for a test run via the command line. You will see a page with details about the application. Click on the Findings link. A list of scan findings appears. Here is an example of what you can see.
Related article: Please see See findings and reports of a specific app, for more details.
Each scan finding shows more details as below.
Success, and Next Step
If everything looks good, proceed to set up Sken CLI. See Quickly get started with Sken: Setup Sken in Your CI/CD for detailed steps.
How it works
- When you run Sken CLI, based on your app’s language, architecture, and settings, Sken automatically figures out which open source scanners and which types of scans (SAST, DAST, SCA, secrets, etc) are appropriate.
- Sken automatically downloads the latest docker image of those scanners and executes the scans in a docker container on your CI/CD machine.
- The scan results are uploaded to the Sken cloud, and you can review them in your Sken portal.
Related article: See Advanced Settings: Set up Sken CLI and Sken.yaml for detailed instructions on advanced settings.