Sken is an application security scanning tool that packages and manages all open source scanners across all the scan types (SAST, DAST, SCA, and more), and automates them for you in CI/CD.
Sken integrates continuous application security testing into the DevOps' CI/CD environment. It helps you discover, prioritize, and fix the application security issues for an immediate and improved ROI,
As DevOps, you get started quickly by following these three steps:
1. As DevOps, you get started by running Sken on the command line
2. Write Sken.yaml code
3. See scan findings and security gaps in your Sken.ai account
For more details on the Sken ROI for your DevOps workflow ROI, see About Sken.
The Sken dashboard
When you login to Sken, the dashboard guides you to create a new app. After you run one or more scans as we have explained later in this article using CircleCI as an example, you can see the detailed scan findings on the dashboard, with an option to dig deeper into the findings for the insights. (Please see Findings and reports on your dashboard for more details.)
Note: integration with CircleCI has a few common steps for different scanners and these separate out depending on the scanner (or scan type).
Note: To quickly test run Sken CLI, we recommend you to see Quickly get started with Sken: Test Run in Terminal or command prompt.
How to integrate Sken with CircleCI
Step 1: Add app into Sken
Login to the Sken portal. Add a new app in your default organization. While following the basic steps to add the app name, you can see the App Setup page that shows the Org ID and App ID of this new app. Copy these two IDs to use these in step 2 below. (Please see Add new app for detailed instructions and for advanced options.)
Step 2: Write sken.yaml
Check in or add this
sken.yaml file into the root folder of your source code. Use the Org ID and App ID from step 1 here.
Step 3: Setup Sken CLI in your CI/CD
We have a CircleCI Orb. To use the orb, paste this code segment in your circleCI.yaml file. Check the Orb Registry page to use the latest, correct version.
Sken for different scanners
Example: How to run find-sec-bugs
Note: Find-sec-bugs is a scanner for Java code https://find-sec-bugs.github.io/.
In Sken, you do not need to specify the scanner that you want to use. You specify the source code language that you want to be scanned and Sken automatically selects a scanner for you.
For example, if you want to run find-sec-bugs, you simply specify java as the language in sken.yaml. See the Sample .yaml File found here in Advanced Settings: Set up Sken CLI and Sken.yaml
With this sken.yaml file, Sken automatically runs find-sec-bugs for you.
Note: Sken will also run OWASP Dependency Check (this is a SCA -- Software
Composition Analysis -- scanner) and Gitleaks (a secrets scanner). SCA and Secrets scanner are language-neutral scanners.
How to ONLY run find-sec-bugs
Modify sken.yaml as such:
With this sken.yaml file, Sken will only run find-sec-bugs.
Note: Sken works intelligently if you do not specify the language. It auto-detects the language and runs the scans because it supports almost all major opensource scanners, languages, and CI/CD tools.
See scan findings on your dashboard
In the Sken portal, select the organization and the app that you just scanned. You will see a page with details about the application.
Click on the findings link. A list of scan findings appears. Here is an example of what you can see.
Related article: Please see See findings and reports of a specific app, for more details.