Sken is designed to be executed from your CI/CD. This is the ideal state for using Sken because the scan findings are more detailed, accurate, and comprehensive when you see the scan findings for an app.

Note; Typically these steps are performed by a DevOps or a developer.

To quickly test run Sken CLI, we recommend you to see Quickly get started with Sken: Test Run in Terminal or command prompt. Once you are able to see the app scan results in a test run, or if for some reason you are not able to test Sken CLI in a terminal, you can continue with Sken set up in your CI/CD as explained below.

Note: If you have already tested out Sken CLI in your terminal, you might have done some of these steps already.

  • Step 1: Add a new app in the Sken portal
  • Step 2: Write sken.yaml
  • Step 3: Setup Sken CLI in your CI/CD
  • Step 4: Check security scan findings in the Sken portal

Step 1: Add a new app in the Sken.ai portal

If you have already tested out Sken CLI in your terminal, you have already done this step, so you can skip it. (Please see Quickly get started with Sken: Test Run in Terminal or command prompt for details on doing a test run via command prompt.)

Login to the Sken portal. Add a new app in your default organization.

Click on New Application. The New Application page opens.

In Application Name, write the name of the new app. Click on Next. (Please see Add new app for detailed steps.)

The App Setup page opens where you can see the Org ID and App ID of this new app. Copy the Org ID and the App ID to use it in step 2 below.

Note: You can skip the App settings steps if you want to quickly see how Sken works for minimum results. If you define these settings such as risk factors criteria for the app, the findings and scan reports are more accurate and comprehensive. (For more details and advanced settings, see Add new app.)

Step 2: Write sken.yaml

If you have already tested out Sken CLI in your terminal, you have already done this step, so you can skip it.

Check in or add this sken.yaml file into the root folder of your source code.

To quickly see how Sken works, we keep this configuration very simple. You can always add advanced settings for sken.yaml to handle more complex configurations. (See Advanced Settings: Set up Sken CLI and Sken.yaml for detailed instructions if you want to set up Sken into your CI/CD for the advanced settings.)

Use the Org ID and App ID from step 1 here.

orgid: your-org-id-here
appid: your-app-id-here

Sken automatically detects your languages and runs the appropriate scans. It automatically runs and shows you app scan findings for SAST, SCA, and Secrets in this test run.

Step 3: Setup Sken CLI in your CI/CD

For Jenkins: If you are using Jenkins as your CI/CD: Paste this code segment in your Jenkins | <Your app > | Configure | Add build step | Execute Shell

#!/bin/bash
pip install --upgrade skencli
~/.local/bin/skencli

For Travis: If you are using Travis as your CI/CD: Paste this code segment in your travis.yaml file.

Note that if this .yaml file already includes Python and docker, you should include only the Sken specific code.

language: python
python:
- "3.8"
services:
- docker
before_install:
- pip install --upgrade --no-cache-dir --default-timeout=210 skencli
script:
- skencli

For Circle CI: We have a CircleCI Orb. To use the orb, paste this code segment in your circleCI.yaml file. Check the Orb Registry page to use the latest, correct version.

version: 2.1
orbs:
skencli: skenai/skencli@<version>
workflows:
main:
jobs:
- skencli/scan

For GitHub Actions: If you are using GitHub Actions: Paste this code segment in your workflow main.yml file.

Note that if this .yaml file already includes Python, you should include only the Sken specific code.

name: CI 
on:
push:
branches: [ github-action ]
pull_request:
branches: [ github-action ]

jobs:
build:
runs-on: ubuntu-latest
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2

- name: Set up Python 3.x
uses: actions/setup-python@v2
with:
# Semantic version range syntax or exact version of a Python version
python-version: '3.x'
# Optional - x64 or x86 architecture, defaults to x64
architecture: 'x64'

- name: Install skencli
run: pip3 install --upgrade skencli

- name: Run skencli
run: skencli

For Bamboo: If you are using Bamboo: Paste this code segment in your bamboo.yml file.

--- version: 2 
plan:
project-key: MYAPP
key: MYAPP
name: Build the myapp

stages:
- Scan the myapp stage:
- Scan

Scan:
tasks:
- script:
- pip3 install --user --upgrade skencli
- export PATH="$HOME/.local/bin:$PATH"
- skencli

For Azure DevOps: If you are using Azure DevOps: Paste this code segment in your azure-pipeline.yml file.

trigger:
- feature/add_azure_pipelines

pool:
  vmImage: 'ubuntu-latest'

steps: - task: Bash@3 displayName: Install_skencli inputs: targetType: 'inline' script: pip install wheel && pip install --upgrade skencli - task: Bash@3 displayName: Run_skencli inputs: targetType: 'inline' script: ~/.local/bin/skencli

For Harness CI: If you are using Harness CI: Paste this code segment in your .drone.yml file.

--- 
kind: pipeline type: exec name: default platform: os: linux arch: amd64 steps: - name: Install skencli commands: - pip install --upgrade skencli - name: Run skencli commands: - skencli trigger: branch: - master

Related article: This is a getting started article to help you with the quick steps for your first app scan. Please see Advanced Settings: Set up Sken CLI and Sken.yaml for more details on backend configuration and advanced settings.

Step 4: Check scan findings in the Sken portal

Check the Sken portal. Select the organization and the app that you just scanned for the test run. A list of apps appears if you have added multiple apps for any reason.

Click on the target app that you had just set up for a test run via the command line. You will see a page with details about the application. Click on the findings link. A list of scan findings appears. Here is an example of what you can see.

Related article: Please see See findings and reports of a specific app, for more details.

Each scan finding shows more details as below.

How it works

  1. Every time your CI/CD runs a build, it calls Sken CLI.
  2. Based on your app’s language, architecture, and settings, Sken automatically figures out which open source scanners and which types of scans (SAST, DAST, SCA, secrets, etc) are appropriate.
  3. Sken automatically downloads the latest docker image of those scanners and executes the scans in a docker container on your CI/CD machine.
  4. The scan results are uploaded to the Sken cloud, and you can review them in your Sken portal.

Related article: See Advanced Settings: Set up Sken CLI and Sken.yaml for detailed instructions on advanced settings.

Did this answer your question?