Deploying preZero to your organization
This guide walks you through the steps to ensure that you're ready to set up and integrate Qwiet preZero for code analysis. This guide will also briefly cover user access, firewall modifications, and preZero customization.
Before you start
Before integrating preZero into your software deployment pipelines, there are several things you should consider:
Applications: Decide which applications you will scan with preZero. For each application you're scanning, make sure you have and can access its code repository.
We recommend prioritizing your applications based on their risk profiles or business criticality; prioritize those with the highest impact should a security issue occur for preZero integration.
Users: Decide who you want to be involved with the code analysis process and what roles they should have. You'll also need to decide how these users access Qwiet (i.e., you could implement SSO and let anyone with the appropriate email address self-enroll).
Instead of onboarding all users simultaneously, we recommend inviting users based on your integrated apps. For example, if you're scanning
public-repo-1andpublic-repo-2, only invite those who interact with these two repos; as you add more apps, invite more users (if necessary).CI/CD platform: If you already have a CI/CD platform with which you want to integrate preZero (i.e., you can run preZero as a Jenkins post-build action), be sure you can access it and are familiar with how to modify its configuration. If not, decide on the CI/CD platform that best meets your build and deployment needs. Remember that you can use different options for different stages; for example, a company might choose to use Jenkins for development and GitHub Actions for integration with preZero.
Software development life cycle: This step has two parts. First, determine where in your software development life cycle SDLC)/security process you want preZero to run. For example, will preZero run as part of the build process itself, or will it be a part of the post-build process?
Second, when do you want preZero to run? Will you scan all pull requests/merge requests, or will you only scan your main/master branch? You could also choose to scan based on whether you consider a change a fix or a new feature.
Please note that how you integrate preZero may depend on your application language. For example, Java applications require preZero to be added as a post-build action, while other languages are more flexible.
Step 1: Configure access to Qwiet
You can view the results generated by preZero in the Qwiet Dashboard. To that end, you'll need to add administrators manually. You can also manually add users, but we recommend implementing SSO so that individual users can auto-enroll.
Currently, Qwiet supports SSO integrations with providers supporting the SAML v2.0 protocol.
Step 2: Integrate preZero
Once you've set up your users and their access to Qwiet, you'll need to integrate preZero into your application build/deployment workflow. This process requires you to download the Qwiet CLI and install preZero.
Once installed, you can check to see if your environment is ready to run preZero using
sl check-environment
We also offer Terraform modules and scripts that aid with the integration and deployment of preZero to all of your Git repositories hosted by:
- Azure DevOps
- Bitbucket
- GitHub
- GitLab
If you're not a Terraform user, but you would like assistance with automated deployment, please contact Qwiet for further information.
Configure your firewall
If necessary, configure your firewall to allow access to the following domains (all use TCP ports 80 and 443):
api.shiftleft.iocdn.shiftleft.ioshiftleft-prod-pipeline.s3-accelerate.amazonaws.comwww.shiftleft.ioapp.shiftleft.io
These domain names are required for preZero to function correctly.
Step 3: Configure preZero and implement build rules
If you want to customize the behavior of preZero, you can create, define, and add the Qwiet config file to your code repositories.
Furthermore, preZero relies on build rules that you define to determine if the build should fail; preZero makes this determination by comparing the results of its analyses against your build rules.
We have brief demos of how the config file and build rules work.
Once you define your build rules (we have a template you can use to get started), you can include a copy of the build rules config file (which is named shiftleft.yml) into the root of your repos.
We recommend creating a security group within your overarching GitHub organization that includes only your application security personnel. You can assign this group the privileges needed to modify and review changes to shiftleft.yml.