Explore the Intelligent Orchestration partner integrations for CloudBees Jenkins, GitHub Actions, SonarQube, and Atlassian.
Synopsys’s world-class application security products, services, and the recently released Intelligent Orchestration can help you build secure, high-quality, resilient software faster. But no single vendor can provide solutions for all the challenges a company faces today. Firms need partners to solve the myriad business challenges they face. Synopsys Technology Alliance Partner program partners with the technology industry’s leading organizations to create joint customer value. Through our partnerships, customers receive the application security solutions they need without impacting their application development and deployment efforts.
Intelligent Orchestration enables teams to integrate application security analysis into DevOps pipelines while maintaining development velocity. It uses a purpose-built, cloud-based continuous integration and continuous delivery / continuous deployment (CI/CD) pipeline that automatically performs the right security tests at the right time based on software development life cycle (SDLC) events and defined policies. And it provides risk-based vulnerability reporting to help teams focus on the highest-priority issues. Learn more about Intelligent Orchestration here.
We at Synopsys Software Integrity group have developed robust partnerships to help address the challenges our customers face. Intelligent Orchestration is tool-agnostic, and this blog post outlines how it works with several of our partner integrations.
Anyone who has worked with a continuous integration server is familiar with Jenkins. Intelligent Orchestration works seamlessly with Jenkins and provides pipeline-as-code and security-as-code capabilities.
For Jenkins and its shared libraries concept, we have abstracted how you can build pipelines. Some of the key benefits of using CloudBees Jenkins are:
Figure 1: Pipeline as code
Figure 2 below shows how easy it is to add new tools to the shared libraries in Jenkins.
Figure 2: Adding new tools to the shared libraries in Jenkins
Figure 3 below shows Intelligent Orchestration running with Jenkins orchestration and Synopsys AST tools.
Figure 3: Jenkins orchestration and Synopsys AST tools
Figure 4 below shows Intelligent Orchestration running with Jenkins orchestration using third-party tools.
Figure 4: Jenkins orchestration and third-party AST tools
Orchestration by itself isn’t sufficient. If AST tools aren’t configured correctly, they can flag an overwhelming number of potential vulnerabilities, many of them insignificant or irrelevant to a particular project. And that can frustrate development teams to the point that they start ignoring the warnings or even disabling the tools, undermining the security those tools are meant to enhance. Intelligent Orchestration and GitHub Actions can help solve this problem.
Developers are directed toward vulnerabilities that are prioritized by their organization’s security policies (e.g., only critical vulnerabilities or only critical SQL injection vulnerabilities), so they aren’t overwhelmed by analysis results. Intelligent Orchestration with GitHub Actions can specify when to run a specific tool scan and when not to, based on the actual code changes.
Here are some examples of Intelligent Orchestration and GitHub Actions working together.
Example 1: An Actions file was changed in a way that posed no risk to the application. Intelligent Orchestration skipped both SAST and SCA scan.
Figure 5: Example 1
Example 2: A sensitive package was changed in a way that required a SAST scan. Intelligent Orchestration skipped the SCA scan and ran a SAST scan.
Figure 6: Example 2
Example 3: The tool found 91 total issues, but the team had configured Intelligent Orchestration to send notifications about only high-severity issues. There were 75 high-severity issues, as displayed in the security pane.
Figure 7: Example 3
Figure 8: Developers are given all the information they need to fix identified issues and merge the fixed code into the main branch
Tools running by themselves provide different reports and different metrics, which is good but not useful when you want a consolidated view of the risks found in all the AST scans you ran.
SonarQube provides a dashboard for all scan results, enables you to define quality and security gates, and allows authorities to determine whether the code can move to the next stage in the pipeline.
Intelligent Orchestration uses SonarQube two different ways. First, within SonarQube, the integration displays the risk calculation, the score, and which security activities ran and which were skipped for that particular build.
Figure 9: Intelligent Orchestration and SonarQube integration
Second, the Intelligent Orchestration and SonarQube integration includes security gates and a way to pause the pipeline when an authority is required to accept the risk.
Figure 10: Intelligent Orchestration and SonarQube security gate
With all the automation and tools configured in the pipeline, you need a way to manage the defects the tools identified. Intelligent Orchestration can notify you when AST tools identify critical issues. These issues are then pushed automatically to issue-tracking systems like Atlassian Jira. This enables continuous feedback and visibility of security findings for development teams. It also provides a way for the sign-off authority to stop the affected code from moving to the next stages in the pipelines when critical issues are open in Jira.
Figure 11: Open vulnerabilities in Atlassian Jira
Figure 12: Atlassian Jira is also used to add tickets for all manual activities that need to occur within a secure SDLC
Intelligent Orchestration is cloud-agnostic, and it can be deployed in Amazon AWS, Microsoft Azure, or any other cloud provider.
Synopsys Intelligent Orchestration works with several other partners and includes integrations for them. Integrating with partner tools and technologies is key to the success of Intelligent Orchestration and any AppSec program. Stay tuned for more detailed blogs on other integrations with our partner tools and technologies.
Meera Rao (Subbarao) is a senior director for product management (DevOps solutions) at Synopsys. She has over 20 years of experience in software development organizations in a variety of roles including Architect, Lead Developer, Project Manager, and Security Architect. Meera has overseen and performed secure code reviews, static analysis implementations, architectural risk analyses, secure design reviews, and threat modeling of systems built from a few thousand lines of code to systems containing tens of millions of lines of code. She has developed multiple Synopsys training courses and is a certified instructor in architectural risk analysis, threat modeling, and more.