Prevent the deployment of vulnerable builds | Fluid Attacks Help

Prevent the deployment of builds with vulnerabilities

You can install Fluid Attacks' CI Agent to automatically enforce the vulnerability acceptance policies.

The CI Agent, aligned with your organization's or group's general policies, can automatically break builds that contain vulnerabilities that have not been remediated nor accepted. Breaking the build means preventing any software author from deploying a build with said vulnerabilities into production. This mechanism prompts your team to address security issues, effectively prioritizing security at that moment of the software development lifecycle.

A CI Agent token is required for installation of the Agent. To use the Agent, ensure Internet connectivity, so it can connect to Fluid Attacks' API. as the Continue reading to learn how to manage this token. Further below are references to configuring policies to break the build and viewing the Agent's executions.

Note: Token generation, update, and reset are completely up to your team.

Generate the CI Agent token

Role requirement infoRole required: User, Vulnerability Manager or Group Manager
Follow these steps to generate the CI Agent token on Fluid Attacks' platform:

  1. Go to the Scope section of the group where you want to use the Agent.

    2. Find the Scope section on the Fluid Attacks platform

  2. Scroll all the way down to locate the CI Agent card.

  3. Click the Manage token button.

    4. Manage CI Agent token on the Fluid Attacks platform

  4. In the pop-up window, click on Generate.

    Generate CI Agent token on the Fluid Attacks platform

Once generated, you can click on Copy to capture the token for immediate use. The token is valid for 180 days and is unique to the group where it is created.

Copy CI Agent token on the Fluid Attacks platform

You can always come back and click on Reveal token to view it.

View CI Agent token on the Fluid Attacks platform

Update the CI Agent token

Role requirement infoRole required: User, Vulnerability Manager or Group Manager

Fluid Attacks' platform sends you a notification seven days before the CI Agent token expires.

After your token expires, you must follow the same instructions provided in Generate the CI Agent token. In this case, the pop-up window referred to in step 4 states that the token has expired.

Update DevSecOps token on the Fluid Attacks platform

Reset the CI Agent token

Role requirement infoRole required: User, Vulnerability Manager or Group Manager

You can reset the CI Agent token while your current one is still valid. Follow these steps:

  1. Go to your group's Scope and locate the Manage Token button.

  2. In the pop-up window, click on Reveal token.

  3. Once your current token is displayed, click the Reset button to generate a new token.

    4. Reset CI Agent token on the Fluid Attacks platform

The new token is generated in the pop-up window, and you can copy it for immediate use.

Troubleshooting: If you encounter errors during token management, refresh the Scope section and retry. If the issue persists, contact Fluid Attacks support at help@fluidattacks.com with detailed information about the problem.

Configure policies to break the build

Role requirement infoRole required: User, Vulnerability Manager or Group Manager
Fluid Attacks' platform allows you to configure the following policies related to breaking the build:
  1. Grace period where newly reported vulnerabilities will not break the build
  2. Minimum CVSS score of an open vulnerability to break the build
  3. Number of days until vulnerabilities are considered technical debt and do not break the build
To configure them for your entire organization or for specific groups, go to the Policies section.
Idea
To learn about these policies in detail, read Manage security gates.

View the Agent's execution details

Role requirement infoRole required: User, Vulnerability Manager or Group Manager

On Fluid Attacks' platform, you can inspect the outcomes of each execution of the CI Agent for a specific group, such as whether it broke the build and what unremedied vulnerabilities it found. To do it, go to the group's DevSecOps section. Read about the latter in View details of the security of your builds.

Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.