The CI Agent, aligned with your organization's or group's general policies, can automatically break builds that contain vulnerabilities that have not been remediated nor accepted. Breaking the build means preventing any software author from deploying a build with said vulnerabilities into production. This mechanism prompts your team to address security issues, effectively prioritizing security at that moment of the software development lifecycle.

A DevSecOps token is required for installation of the Agent. Continue reading to learn how to manage this token. Further below are references to configuring policies to break the build and viewing the Agent's executions.

Note: Token generation, update, and reset are completely up to your team.

Generate the DevSecOps token

Role required: User, Vulnerability Manager or User Manager

1. Go to the Scope section of the group where you want to use the Agent.




2. Scroll all the way down to locate the DevSecOps agent title.

3. Click the Manage token button.




4. In the pop-up window, click on Generate.

   
   

Once generated, you can click on Copy to capture the token for immediate use. The token is valid for 180 days and is unique to the group where it is created.

Update the DevSecOps token

Role required: User, Vulnerability Manager or User Manager

Fluid Attacks' platform sends you a notification seven days before the DevSecOps token expires.

Reset the DevSecOps token

Role required: User, Vulnerability Manager or User Manager

You can reset the DevSecOps token while your current one is still valid. Follow these steps:

1. Go to your group's Scope and locate the Manage Token button.
   

2. In the pop-up window, click on Reveal token.
   

3. Once your current token is displayed, click the Reset button to generate a new token.
   

The new token is generated in the pop-up window, and you can copy it for immediate use.

Troubleshooting: If you encounter errors during token management, refresh the Scope section and retry. If the issue persists, contact Fluid Attacks support at help@fluidattacks.com with detailed information about the problem.

Configure policies to break the build

Role required: User, Vulnerability Manager or User Manager

1. Grace period where newly reported vulnerabilities will not break the build
   
2. Minimum CVSS score of an open vulnerability to break the build
   
3. Number of days until vulnerabilities are considered technical debt and do not break the build

To learn about these policies in detail, read Manage general policies.

View the Agent's execution details

Role required: User, Vulnerability Manager or User Manager

On Fluid Attacks' platform, you can inspect the outcomes of each execution of the CI Agent for a specific group, such as whether it broke the build and what unremedied vulnerabilities it found. To do it, go to the group's DevSecOps section. Read about the latte in View details of the security of your builds.

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.