Skip to main content

Deploying Qwiet AI by Harness to your organization

This guide walks you through the steps to ensure that you're ready to set up and integrate Qwiet AI by Harness for code analysis. This guide will also briefly cover user access, firewall modifications, and Qwiet AI by Harness customization.

Before you start

Before integrating Qwiet AI by Harness into your software deployment pipelines, there are several things you should consider:

  • Applications: Decide which applications you will scan with Qwiet AI by Harness. For each application you're scanning, make sure you have and can access its code repository.

    We recommend prioritizing your applications based on their risk profiles or business criticality; prioritize those with the highest impact should a security issue occur for Qwiet AI by Harness integration.

  • Users: Decide who you want to be involved with the code analysis process and what roles they should have. You'll also need to decide how these users access Qwiet (i.e., you could implement SSO and let anyone with the appropriate email address self-enroll).

    Instead of onboarding all users simultaneously, we recommend inviting users based on your integrated apps. For example, if you're scanning public-repo-1 and public-repo-2, only invite those who interact with these two repos; as you add more apps, invite more users (if necessary).

  • CI/CD platform: If you already have a CI/CD platform with which you want to integrate Qwiet AI by Harness (i.e., you can run Qwiet AI by Harness as a Jenkins post-build action), be sure you can access it and are familiar with how to modify its configuration. If not, decide on the CI/CD platform that best meets your build and deployment needs. Remember that you can use different options for different stages; for example, a company might choose to use Jenkins for development and GitHub Actions for integration with Qwiet AI by Harness.

  • Software development life cycle: This step has two parts. First, determine where in your software development life cycle SDLC)/security process you want Qwiet AI by Harness to run. For example, will Qwiet AI by Harness run as part of the build process itself, or will it be a part of the post-build process?

    Second, when do you want Qwiet AI by Harness to run? Will you scan all pull requests/merge requests, or will you only scan your main/master branch? You could also choose to scan based on whether you consider a change a fix or a new feature.

    Please note that how you integrate Qwiet AI by Harness may depend on your application language. For example, Java applications require Qwiet AI by Harness to be added as a post-build action, while other languages are more flexible.

Step 1: Configure access to Qwiet

You can view the results generated by Qwiet AI by Harness in the Qwiet Dashboard. To that end, you'll need to add administrators manually. You can also manually add users, but we recommend implementing SSO so that individual users can auto-enroll.

Currently, Qwiet supports SSO integrations with providers supporting the SAML v2.0 protocol.

Step 2: Integrate Qwiet AI by Harness

Once you've set up your users and their access to Qwiet, you'll need to integrate Qwiet AI by Harness into your application build/deployment workflow. This process requires you to download the Qwiet CLI and install Qwiet AI by Harness.

Once installed, you can check to see if your environment is ready to run Qwiet AI by Harness using sl check-environment

We also offer Terraform modules and scripts that aid with the integration and deployment of Qwiet AI by Harness to all of your Git repositories hosted by:

  • Azure DevOps
  • Bitbucket
  • GitHub
  • GitLab

If you're not a Terraform user, but you would like assistance with automated deployment, please contact Qwiet for further information.

Configure your firewall

If necessary, configure your firewall to allow access to the following domains (all use TCP ports 80 and 443):

  • api.shiftleft.io
  • cdn.shiftleft.io
  • shiftleft-prod-pipeline.s3-accelerate.amazonaws.com
  • www.shiftleft.io
  • app.shiftleft.io

These domain names are required for Qwiet AI by Harness to function correctly.

Step 3: Configure Qwiet AI by Harness and implement build rules

If you want to customize the behavior of Qwiet AI by Harness, you can create, define, and add the Qwiet config file to your code repositories.

Furthermore, Qwiet AI by Harness relies on build rules that you define to determine if the build should fail; Qwiet AI by Harness makes this determination by comparing the results of its analyses against your build rules.

We have brief demos of how the config file and build rules work.

Once you define your build rules (we have a template you can use to get started), you can include a copy of the build rules config file (which is named shiftleft.yml) into the root of your repos.

We recommend creating a security group within your overarching GitHub organization that includes only your application security personnel. You can assign this group the privileges needed to modify and review changes to shiftleft.yml.