AWS Code Build

This article shows you how you can integrate ShiftLeft CORE's NG SAST into your AWS CodeBuild workflow to provide automated code analysis.

Prerequisites

  • You must have an Amazon Web Services account to proceed. Amazon, during the registration process, will ask you to provide your billing information in case you exceed the Free Tier Usage Limits. ShiftLeft is not responsible for any usage costs you may incur by setting up and using this integration.

  • You can store your source code in any of the four options, but for this tutorial, we will proceed with our HelloShiftLeft sample app source code in GitHub.

Step 1: Create the buildspec file

Regardless of where you store your source code, you must include a buildspec file, which is "a collection of build commands and related settings, in YAML format, that CodeBuild uses to run a build."

This file must be named buildspec.yml and placed in the root of your source code directory. For this tutorial, we will be working with this buildspec file:

version: 0.2
phases:
install:
runtime-versions:
java: openjdk8
commands:
- echo Entering the install phase...
finally:
- echo Exiting the dependency install phase...
pre_build:
commands:
- echo Downloading the ShiftLeft CLI...
- curl https://cdn.shiftleft.io/download/sl > $HOME/sl && chmod a+rx $HOME/sl
finally:
- echo Downloaded ShiftLeft...
build:
commands:
- echo Entering the maven build process...
- mvn clean package
finally:
- echo Exiting the maven build process...
post_build:
commands:
- echo Starting code analysis with NG SAST...
- $HOME/sl analyze --app HelloShiftLeft --wait --java target/hello-shiftleft-0.0.1.jar
finally:
- echo Ran NG SAST on your code
artifacts:
files:
- target/hello-shiftleft-0.0.1.jar

Once you've added this file to your repository, make sure that it is available to AWS as needed (i.e., the change has been merged into master).

Step 2: Create the build project

At this point, you'll create the build project used by CodeBuild to run your build.

  1. Sign in to the AWS Console and open CodeBuild. If this is the first time, you may be asked to choose an AWS Region where CodeBuild is supported; any option is acceptable.

  2. If you're redirected to the CodeBuild info page, click Create build project, otherwise use the navigation pane to choose Build > Build projects > Create build project.

  3. Under Project configuration, provide a project name. This must be unique, but be consistent in using whatever you choose throughout.

  4. In Source > Source provider, choose GitHub. Indicate its Repository type (in this case, we chose Public repository), and provide the Repository URL.

  5. AWS CodeBuild needs access to your GitHub account to display the available repositories. You can choose either of the methods (Connect using OAuth or GitHub personal access token). CodeBuild will walk you through the authorization process.

  6. Under Environment, choose the Managed image option.

  7. For Operating system, select Ubuntu.

  8. For Runtime, select Standard.

  9. For Image, select aws/codebuild/standard:3.0

  10. For Image version, select Always use the latest image for this runtime version.

  11. For Environment type, select Linux.

  12. For Service role, choose New service role and provide a Role name of your choice. This will be the "user" role CodeBuild uses to run your build.

  13. Expand the Additional configuration section. Scroll down to the Environment variables and create a SHIFTLEFT_ACCESS_TOKEN variable (for the time being, we will leave them as plaintext for clarity, though you should use parameters or Secret Manager before using this in production). When running in a production environment, we recommend that you use a CI token as the access token. You can create your CI token in the ShiftLeft Dashboard.

    Please note that the presence of any set environment variables will override those in a configuration file.

  14. Under Buildspec > Build specifications, choose Use a buildspec file.

  15. Scroll to the bottom, and click Create build project.

Step 3: Run the Build

At this point, you're ready to run your build. You should have been redirected to an overview page for your CodeBuild project; if so, click Start Build. Otherwise, click Build projects in the left-hand navigation bar, and choose your project. Click Start build.

You'll be shown the settings for your build. Verify the default settings for a single build, and click Start build.