Software Integrity Blog

 

How to remove friction in DevOps with Intelligent Orchestration partner integrations

Explore the Intelligent Orchestration partner integrations for CloudBees Jenkins, GitHub Actions, SonarQube, and Atlassian.

Intelligent Orchestration partner integrations | Synopsys

Synopsys’s world-class application security products, services, and the recently released Intelligent Orchestration can help you build secure, high-quality, resilient software faster. But no single vendor can provide solutions for all the challenges a company faces today. Firms need partners to solve the myriad business challenges they face. Synopsys Technology Alliance Partner program partners with the technology industry’s leading organizations to create joint customer value. Through our partnerships, customers receive the application security solutions they need without impacting their application development and deployment efforts.

Learn about Technology Alliance Partners

Intelligent Orchestration

Intelligent Orchestration enables teams to integrate application security analysis into DevOps pipelines while maintaining development velocity. It uses a purpose-built, cloud-based continuous integration and continuous delivery / continuous deployment (CI/CD) pipeline that automatically performs the right security tests at the right time based on software development life cycle (SDLC) events and defined policies. And it provides risk-based vulnerability reporting to help teams focus on the highest-priority issues. Learn more about Intelligent Orchestration here.

We at Synopsys Software Integrity group have developed robust partnerships to help address the challenges our customers face. Intelligent Orchestration is tool-agnostic, and this blog post outlines how it works with several of our partner integrations.

Intelligent Orchestration partner integrations

CloudBees Jenkins

Anyone who has worked with a continuous integration server is familiar with Jenkins. Intelligent Orchestration works seamlessly with Jenkins and provides pipeline-as-code and security-as-code capabilities. 

For Jenkins and its shared libraries concept, we have abstracted how you can build pipelines. Some of the key benefits of using CloudBees Jenkins are:

path for jenkinsfile | Synopsys
Figure 1: Pipeline as code

  • Extensibility. The Jenkins orchestration components are easily extensible to include new scanning tools, either commercial to open source. With a solid orchestration platform in place, customers can integrate new tools with ease.

Figure 2 below shows how easy it is to add new tools to the shared libraries in Jenkins.

adding tools to libraries in Jenkins | Synopsys
Figure 2: Adding new tools to the shared libraries in Jenkins

Figure 3 below shows Intelligent Orchestration running with Jenkins orchestration and Synopsys AST tools.

Intelligent Orchestration partner integration with Jenkins using Synopsys tools  | Synopsys
Figure 3: Jenkins orchestration and Synopsys AST tools

Figure 4 below shows Intelligent Orchestration running with Jenkins orchestration using third-party tools.

Intelligent Orchestration partner integration with Jenkins using third party tools | Synopsys
Figure 4: Jenkins orchestration and third-party AST tools

GitHub Actions

Orchestration by itself isn’t sufficient. If AST tools aren’t configured correctly, they can flag an overwhelming number of potential vulnerabilities, many of them insignificant or irrelevant to a particular project. And that can frustrate development teams to the point that they start ignoring the warnings or even disabling the tools, undermining the security those tools are meant to enhance. Intelligent Orchestration and GitHub Actions can help solve this problem.
 
Developers are directed toward vulnerabilities that are prioritized by their organization’s security policies (e.g., only critical vulnerabilities or only critical SQL injection vulnerabilities), so they aren’t overwhelmed by analysis results. Intelligent Orchestration with GitHub Actions can specify when to run a specific tool scan and when not to, based on the actual code changes.

Here are some examples of Intelligent Orchestration and GitHub Actions working together.

Example 1: An Actions file was changed in a way that posed no risk to the application. Intelligent Orchestration skipped both SAST and SCA scan.

Intelligent Orchestration skips SAST and SCA | Synopsys
Figure 5: Example 1

Example 2: A sensitive package was changed in a way that required a SAST scan. Intelligent Orchestration skipped the SCA scan and ran a SAST scan.

Intelligent Orchestration skips SCA and ran SAST | Synopsys
Figure 6: Example 2

Example 3: The tool found 91 total issues, but the team had configured Intelligent Orchestration to send notifications about only high-severity issues. There were 75 high-severity issues, as displayed in the security pane.

Intelligent Orchestration sends high-severity issues | Synopsys
Figure 7: Example 3

information needed to fix identified issues and merge the fixed code into the main branch | Synopsys
Figure 8: Developers are given all the information they need to fix identified issues and merge the fixed code into the main branch

SonarQube

Tools running by themselves provide different reports and different metrics, which is good but not useful when you want a consolidated view of the risks found in all the AST scans you ran. 

SonarQube provides a dashboard for all scan results, enables you to define quality and security gates, and allows authorities to determine whether the code can move to the next stage in the pipeline.

Intelligent Orchestration uses SonarQube two different ways. First, within SonarQube, the integration displays the risk calculation, the score, and which security activities ran and which were skipped for that particular build.

Intelligent Orchestration partner integration with and SonarQube | Synopsys
Figure 9: Intelligent Orchestration and SonarQube integration

Second, the Intelligent Orchestration and SonarQube integration includes security gates and a way to pause the pipeline when an authority is required to accept the risk.

Intelligent Orchestration and SonarQube security gate | Synopsys
Figure 10: Intelligent Orchestration and SonarQube security gate

Atlassian

With all the automation and tools configured in the pipeline, you need a way to manage the defects the tools identified. Intelligent Orchestration can notify you when AST tools identify critical issues. These issues are then pushed automatically to issue-tracking systems like Atlassian Jira. This enables continuous feedback and visibility of security findings for development teams. It also provides a way for the sign-off authority to stop the affected code from moving to the next stages in the pipelines when critical issues are open in Jira.

Open vulnerabilities in Atlassian Jira | Synopsys
Figure 11: Open vulnerabilities in Atlassian Jira

Atlassian Jira tickets for manual activities | Synopsys
Figure 12: Atlassian Jira is also used to add tickets for all manual activities that need to occur within a secure SDLC

Making your AppSec program a success

Intelligent Orchestration is cloud-agnostic, and it can be deployed in Amazon AWS, Microsoft Azure, or any other cloud provider.

Synopsys Intelligent Orchestration works with several other partners and includes integrations for them. Integrating with partner tools and technologies is key to the success of Intelligent Orchestration and any AppSec program. Stay tuned for more detailed blogs on other integrations with our partner tools and technologies.

Learn more about our partner integrations

 

More by this author