- Open up the "Services" tab and select "Systems Manager" under "Management Tools."
- Select "Parameter Store" at the bottom of the page.
- Select "Create Parameter" and input "FOSSA_API_KEY" as the name, set the type to "SecureString," and set the value to your API Key. Press "Create Parameter" when you're done.
CodeBuild parameter access
Now that we have a safe space to store our API Key, we need to grant the CodeBuild Service access to it.
- Open up the "Services" tab and select "IAM" under "Security, Identity, & Compliance"
- Select "Roles" from the side navigation.
- Locate and select the appropriate role for "CodeBuild." It should be named "code-build--service-role." My project was made through CodeStar, so it was named "CodeStarWorker--CodeBuild." Expand the available policy.
- Select "Edit policy." Select "Add additional permissions," and select service.
- Start typing "SSM" to refine your search, and choose "SSM" when it pops up.
- When the "Actions" section opens up, expand the "Read" section. Select "GetParameters." (Important: the item we're selecting is "GetParameters," not to be confused with "GetParamater.")
- Select the "Resources" section. From that section, select "Add ARN." Input your region into the "Region" field, account ID in the "Account" field, and "FOSSA_API_KEY" into the "Fully qualified parameter name" field. Select "Add." Feel free to add a "Request condition" if you have the information ready.
- Select "Review policy" and "Save changes."
CodeBuild utilizes the
buildspec.yml file in the root of your repository to build the project. The stages are defined here and artifacts are extracted.
buildspec.ymlfile. If you do not have this file, create one by following this guide.
Add the "env" section before "phases" if you don't already have it. Add the section "parameter-store" within that, and finally, add "FOSSA_API_KEY: "FOSSA_API_KEY"" below that. It should look like the snippet below.
version: 0.2 env: parameter-store: FOSSA_API_KEY: "FOSSA_API_KEY" phases: install: commands: # ...
In the "commands" section under the "post_build" section, add the new command
bash sca.sh. It should look like the snippet below.
post_build: commands: - echo Entering post_build phase... - echo Build completed on `date` - bash sca.sh - mv target/ROOT . # ...
Note: This file was create by CodeStar and contains steps specific to the provide application.
version: 0.2 env: parameter-store: FOSSA_API_KEY: "FOSSA_API_KEY" phases: install: commands: - pip install --upgrade awscli pre_build: commands: - echo Entering pre_build phase... - echo Test started on `date` - mvn clean compile test build: commands: - echo Entering build phase... - echo Build started on `date` - mvn war:exploded post_build: commands: - echo Entering post_build phase... - echo Build completed on `date` - bash sca.sh - mv target/ROOT . artifacts: type: zip files: - 'ROOT/WEB-INF/classes/application.properties' - 'ROOT/WEB-INF/classes/com/aws/codestar/projecttemplates/HelloWorldAppInitializer.class' - 'ROOT/WEB-INF/classes/com/aws/codestar/projecttemplates/configuration/ApplicationConfig.class' - 'ROOT/WEB-INF/classes/com/aws/codestar/projecttemplates/configuration/MvcConfig.class' - 'ROOT/WEB-INF/classes/com/aws/codestar/projecttemplates/controller/HelloWorldController.class' - 'ROOT/WEB-INF/lib/aopalliance-1.0.jar' - 'ROOT/WEB-INF/lib/commons-fileupload-1.3.3.jar' - 'ROOT/WEB-INF/lib/commons-io-2.5.jar' - 'ROOT/WEB-INF/lib/commons-logging-1.2.jar' - 'ROOT/WEB-INF/lib/javax.servlet-api-3.1.0.jar' - 'ROOT/WEB-INF/lib/spring-aop-4.3.14.RELEASE.jar' - 'ROOT/WEB-INF/lib/spring-beans-4.3.14.RELEASE.jar' - 'ROOT/WEB-INF/lib/spring-context-4.3.14.RELEASE.jar' - 'ROOT/WEB-INF/lib/spring-core-4.3.14.RELEASE.jar' - 'ROOT/WEB-INF/lib/spring-expression-4.3.14.RELEASE.jar' - 'ROOT/WEB-INF/lib/spring-web-4.3.14.RELEASE.jar' - 'ROOT/WEB-INF/lib/spring-webmvc-4.3.14.RELEASE.jar' - 'ROOT/WEB-INF/views/index.jsp' - 'ROOT/resources/gradients.css' - 'ROOT/resources/set-background.js' - 'ROOT/resources/styles.css' - 'ROOT/resources/tweet.svg'
Create SCA script
buildspec.yml, we reference a file called
sca.sh, which does not exist yet. So, let's make it.
Create the file in the root directory of the repository, and chmod it to enable execution.
touch sca.sh && chmod +x sca.sh
Edit the script to include the downloading of the FOSSA CLI and a config file if you don't have it already. It should look something like the file below.
#!/bin/bash curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bash fossa analyze
Updated over 1 year ago