### Example Curl Command for TFVC Repository Download Source: https://docs.strikeone.io/scan-one/vuln-management This example demonstrates how to use curl to download a TFVC repository as a .zip file using the Azure API. This method is an alternative to using git clone for specific scenarios. ```text https://ORGANIZATION:TOKEN@dev.azure.com/ORGANIZATION/_apis/tfvc/items?path=$/EXAMPLE-PROJECT&api-version=5.0&download=true&organization=ORGANIZATION ``` -------------------------------- ### Example Git Repository URLs with Credentials Source: https://docs.strikeone.io/scan-one/vuln-management These examples show the format for providing repository URLs that include user credentials (username and token) for cloning Git repositories. This is necessary for tools that need to clone a repository to analyze it. ```text https://USER:TOKEN@github.com/USER_OR_ORGANIZATION/REPO.git https://USER:TOKEN@gitlab.com/GROUP/REPO.git https://USER:TOKEN@dev.azure.com/ORGANIZATION/PROJECT/_git/REPO https://USER:TOKEN@ORGANIZATION.visualstudio.com/COLLECTION/PROJECT/_git/REPO https://USER:TOKEN@bitbucket.org/USER_REPO/PROJECT_REPO.git ``` -------------------------------- ### Install StrikeOne VM Test Docker Image Source: https://docs.strikeone.io/integrations/remote-test-execution-v2 Pull the latest StrikeOne VM test Docker image from Docker Hub. This image contains the necessary tools to execute tests. ```bash docker pull strike1/execute-vm-test:latest ``` -------------------------------- ### Run StrikeOne VM Test Container Source: https://docs.strikeone.io/integrations/remote-test-execution-v2 Execute the StrikeOne VM test container to run tests. This command starts an interactive session with the container. ```bash docker run --rm -it strike1/execute_vm_test python execute_test.py ``` -------------------------------- ### Example SAST Scan with GitHub Actions Source: https://docs.strikeone.io/integrations/remote-test-execution-v2 Automate SAST scans using GitHub Actions. This workflow pulls the StrikeOne Docker image and executes a SonarQube scan. ```yaml name: CI on: push: branches: [ "main" ] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Pull docker StrikeOne run: docker pull strike1/execute-vm-test:latest - name: Execute Sonar Test run: | export REPO_NAME=${GITHUB_REPOSITORY#*/} echo "$REPO_NAME" export SONAR_TEST=$(docker run --rm strike1/execute-vm-test:latest python execute_test.py -ut ${{secrets.SO_TOKEN}} -tn test_name -an "$REPO_NAME" -tt sast -t sonarqube -d https://google.com -url https://${{secrets.GH_TOKEN}}@github.com/user/repo.git -pn "$REPO_NAME" -pb main) echo "$SONAR_TEST" if echo "$SONAR_TEST" | grep -iq "Error"; then echo "[SH] Error al ejecutar test..." exit 1 fi ``` -------------------------------- ### Example DAST Scan with GitHub Actions Source: https://docs.strikeone.io/integrations/remote-test-execution-v2 Automate DAST scans using GitHub Actions. This workflow pulls the StrikeOne Docker image and executes an OWASP ZAP scan against a specified domain. ```yaml name: CI on: push: branches: [ "main" ] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Pull docker StrikeOne run: docker pull strike1/execute-vm-test:latest - name: Execute OWASP ZAP Test run: | export REPO_NAME=${GITHUB_REPOSITORY#*/} echo "$REPO_NAME" export OWASP_TEST=$(docker run --rm strike1/execute-vm-test:latest python execute_test.py -ut ${{secrets.SO_TOKEN}} -tn test_name -an "$REPO_NAME" -tt dast -t owasp_zap -d https://google.com) echo "$OWASP_TEST" if echo "$OWASP_TEST" | grep -iq "Error"; then echo "[SH] Error al ejecutar test..." exit 1 fi ``` -------------------------------- ### Azure Pipelines Configuration for DAST Scan Source: https://docs.strikeone.io/integrations/remote-test-execution-v2 An example Azure Pipeline configuration for performing a Dynamic Application Security Testing (DAST) scan using OWASP ZAP. It includes triggers, agent specification, and variables. ```yaml # Pipeline Name name: CI-$(Build.BuildId) # Triggers trigger: branches: include: - main # Specify agent pool: vmImage: 'ubuntu-latest' # Variables variables: REPO_NAME: $(Build.Repository.Name) # Repository name # Steps steps: # Pull docker image - script: | echo "Pulling Docker image..." docker pull strike1/execute-vm-test:latest displayName: 'Pull Docker StrikeOne' # Executes OWASP ZAP test - script: | echo "Executing OWASP ZAP Test..." export OWASP_TEST=$(docker run --rm strike1/execute-vm-test:latest python execute_test.py -ut $(SO_TOKEN) -tn test_name -an "$(REPO_NAME)" -tt dast -t owasp_zap -d https://google.com) echo "$OWASP_TEST" if echo "$OWASP_TEST" | grep -iq "Error"; then echo "[SH] Error al ejecutar test..." exit 1 fi displayName: 'Execute OWASP ZAP Test' env: SO_TOKEN: $(SO_TOKEN) # Secret: StrikeOne Token ``` -------------------------------- ### Execute DepCheck or GitLeaks Test with Project Details Source: https://docs.strikeone.io/integrations/jenkins This snippet demonstrates executing Dependency-Check or GitLeaks scans. It requires the `toolData` object containing `projectUrl`, `projectName`, and optionally `projectBranch`. ```json { "externalData": { "testName": "depcheck_scan_example", "parsedDomainId": "your_domain_id", "parsedScanId": "your_scan_id", "tool": "dep_check" }, "toolData": { "projectUrl": "https://your-repo.com/your-project.git", "projectName": "your-project-name", "projectBranch": "main" } } ``` -------------------------------- ### Execute StrikeOne Test via GitHub Actions Source: https://docs.strikeone.io/integrations/github-actions This job demonstrates how to use the 'fjogeleit/http-request-action' to send a POST request to the StrikeOne API for executing a test. Ensure you have set up the 'SO_API_TOKEN' secret in your GitHub repository. ```yaml execute_so_test: name: Execute StrikeOne Test runs-on: self-hosted steps: - name: StrikeOne Test Execution id: strikeone_test_execution uses: fjogeleit/http-request-action@v1 with: url: "https://assessment.strikeone.io/api/vm/tests/external/execute" method: "POST" customHeaders: '{"Content-Type": "application/json"}' bearerToken: ${{ secrets.SO_API_TOKEN }} data: '{"externalData": { "parsedDomainId": "192079240", "parsedScanId": "192079369", "tool": "owasp_zap", "testName": "GitHub Actions Test" } }' - name: Show Response run: | echo ${{ steps.strikeone_test_execution.outputs.response }} ``` -------------------------------- ### Run OWASP ZAP Baseline Scan with Docker Source: https://docs.strikeone.io/scan-one/vuln-management Executes an OWASP ZAP baseline scan using a Docker image. Requires Docker, the specified image, and sudo permissions. Reports are saved and processed. ```bash sudo docker run --rm -v $PWD:/zap/wrk owasp/zap2docker-stable:latest zap-baseline.py ``` -------------------------------- ### GitLab CI/CD for StrikeOne Test Execution Source: https://docs.strikeone.io/integrations/remote-test-execution This GitLab CI/CD job demonstrates how to execute a StrikeOne test using `curl`. It sends a POST request to the StrikeOne API with the required headers and data. The `SO_API_TOKEN` should be configured as a CI/CD variable in your GitLab project. ```yaml strikeone-test: stage: test script: - echo "Execute StrikeOne Test" - RES=$(curl --request POST https://assessment.strikeone.io/api/vm/tests/external/execute --header "Content-Type:application/json" --header "Authorization:Bearer ${SO_API_TOKEN}" --data-raw '{"externalData":{"testName":"GitLab Test","parsedDomainId":"192079240","tool":"owasp_zap"}}') - echo RES is $RES ``` -------------------------------- ### Run Horusec Scan Source: https://docs.strikeone.io/scan-one/vuln-management Executes a Horusec security analysis. Requires Horusec binary and sudo. ```bash sudo horusec start ``` -------------------------------- ### Execute Nuclei Scan with Templates Source: https://docs.strikeone.io/scan-one/vuln-management Runs a Nuclei security scan. Requires Nuclei binary and sudo. Optionally accepts a comma-separated list of templates; defaults to 'nuclei-templates' if empty. ```bash sudo nuclei ``` -------------------------------- ### Execute SonarQube Scan with StrikeOne Source: https://docs.strikeone.io/integrations/remote-test-execution-v2 Executes a SonarQube security scan using the StrikeOne Docker image. It captures the output and checks for errors. ```bash echo "Executing Sonar Test..." export SONAR_TEST=$(docker run --rm strike1/execute-vm-test:latest python execute_test.py -ut $(SO_TOKEN) -tn test_name -an "$(REPO_NAME)" -tt sast -t sonarqube -d https://google.com -url https://$(GH_TOKEN)@github.com/user/repo.git -pn "$(REPO_NAME)" -pb main) echo "$SONAR_TEST" if echo "$SONAR_TEST" | grep -iq "Error"; then echo "[SH] Error al ejecutar test..." exit 1 fi ``` -------------------------------- ### Run GitLeaks Scan Source: https://docs.strikeone.io/scan-one/vuln-management Executes a GitLeaks scan to find secrets. Requires GitLeaks binary and sudo. ```bash sudo gitleaks detect ``` -------------------------------- ### Execute Nuclei Scan with Specific Templates Source: https://docs.strikeone.io/scan-one/vuln-management Runs a Nuclei security scan using a specified list of templates. Requires Nuclei binary and sudo. ```bash sudo nuclei -t nuclei-templates/http,nuclei-templates/dns ``` -------------------------------- ### Execute Nuclei Test with Templates Source: https://docs.strikeone.io/integrations/jenkins This snippet shows how to execute a Nuclei scan with specific templates by providing the `toolData` object. Ensure the `tool` is set to `nuclei` and the `templates` field is correctly formatted. ```json { "externalData": { "testName": "nuclei_scan_example", "parsedDomainId": "your_domain_id", "parsedScanId": "your_scan_id", "tool": "nuclei" }, "toolData": { "templates": "-u vuln,http" } } ``` -------------------------------- ### Pull Docker Image for StrikeOne Source: https://docs.strikeone.io/integrations/remote-test-execution-v2 Pulls the latest Docker image for StrikeOne execution. This is a prerequisite for running any tests. ```bash echo "Pulling Docker image..." docker pull strike1/execute-vm-test:latest ``` -------------------------------- ### Execute StrikeOne Test in GitLab CI/CD Source: https://docs.strikeone.io/integrations/gitlab-cicd This snippet demonstrates a GitLab CI/CD job that executes a StrikeOne test using a cURL command. Ensure you have set the SO_API_TOKEN environment variable in your GitLab project settings. ```yaml strikeone-test: stage: test script: - echo "Execute StrikeOne Test" - RES=$(curl --request POST https://assessment.strikeone.io/api/vm/tests/external/execute --header "Content-Type:application/json" --header "Authorization:Bearer ${SO_API_TOKEN}" --data-raw '{"externalData":{"testName":"GitLab Test","parsedDomainId":"192079240","parsedScanId":"192079369","tool":"owasp_zap"}}') - echo RES is $RES ``` -------------------------------- ### Jenkins Scripted Pipeline for StrikeOne Analysis Source: https://docs.strikeone.io/integrations/jenkins This pipeline automates vulnerability analysis using StrikeOne. It requires a 'nodejs_14.18.0' tool configured in Jenkins and a 'so_api_token' credential. ```groovy import groovy.json.JsonSlurperClassic node { env.NODEJS_HOME = "${tool 'nodejs_14.18.0'}" env.PATH = "${env.NODEJS_HOME}/bin:${env.PATH}" environment { SO_CREDENTIALS = credentials('so_api_token') } stage('Clean Workspace') { cleanWs() } stage('SCM') { checkout scm } stage('StrikeOne Admin Analysis') { withCredentials([string(credentialsId: 'so_api_token', variable: 'SO_API_TOKEN')]) { def toJson = { input -> groovy.json.JsonOutput.toJson(input) } def testBody = [ externalData: [ testName: 'Jenkins Test', parsedDomainId: '192079240', parsedScanId: '192079369', tool: 'owasp_zap' ] ] // EXECUTE VM TEST def testRes = httpRequest contentType: 'APPLICATION_JSON', httpMode: 'POST', requestBody: toJson(testBody), customHeaders: [[name:'Authorization', value: "Bearer $SO_API_TOKEN"]], url: 'https://assessment.strikeone.io/api/vm/tests/external/execute' def testJson = new JsonSlurperClassic().parseText(testRes.content) def testId = testJson.payload.testId def maximumChecks = 30 def checkTestStatus = { String test -> if (maximumChecks > 30) { echo "StrikeOne Vulnerability Management test took too long to complete." return true } sleep 60 def statusRes = httpRequest httpMode: 'GET', customHeaders: [[name:'Authorization', value: "Bearer ${SO_API_TOKEN}"]], url: "https://assessment.strikeone.io/api/vm/tests/external/status/${test}" def statusJson = new JsonSlurperClassic().parseText(statusRes.content) if (statusJson.payload.status == 'done') { echo "StrikeOne Vulnerability Management test completed." return true } if (statusJson.payload.status == 'failed') { error "StrikeOne Vulnerability Management test failed." } maximumChecks++ checkTestStatus(test) } checkTestStatus(testId) } } } ``` -------------------------------- ### Optional SAST Flags for StrikeOne VM Test Source: https://docs.strikeone.io/integrations/remote-test-execution-v2 Additional flags specifically for SAST analysis. These flags are used to specify repository details and SonarQube integration. ```bash -url, --urlproject Url of repo -pn, --projectname Name of repo -pb, --projectbranch Name of branch to analyze -qg, --qualitygate Return quality gate from SonarQube Instance ? (True) -surl, --sonarurl Url of SonarQube Instance -stoken, --sonartoken SonarQube User Token -se, --sonarexclusions SonarQube Exclusions ``` -------------------------------- ### Execute External Test from Jenkins Source: https://docs.strikeone.io/integrations/jenkins This Jenkins pipeline stage demonstrates how to initiate an external test using StrikeOne's API. It requires the `httpRequest` plugin and `jsonSlurperClassic` to be authorized. ```groovy stage('Execute External Test') { steps { script { def strikeOneToken = "YOUR_STRIKEONE_API_TOKEN" def testName = "your_test_name" def domainId = "your_domain_id" def scanId = "your_scan_id" def tool = "nuclei" def payload = [ externalData: [ testName: testName, parsedDomainId: domainId, parsedScanId: scanId, tool: tool ] ] def response = httpRequest( url: "https://your-strikeone-instance.com/api/vm/tests/external/execute", method: 'POST', contentType: 'APPLICATION_JSON', customHeaders: [ Authorization: "Bearer ${strikeOneToken}" ], requestBody: groovy.json.JsonOutput.toJson(payload) ) def testId = new JsonSlurperClassic().parseText(response.content).testId // Optional: Poll for test status def testStatus = '' while (testStatus != 'COMPLETED' && testStatus != 'FAILED') { sleep 60 def statusResponse = httpRequest( url: "https://your-strikeone-instance.com/api/vm/tests/external/status/${testId}", method: 'GET', contentType: 'APPLICATION_JSON', customHeaders: [ Authorization: "Bearer ${strikeOneToken}" ] ) testStatus = new JsonSlurperClassic().parseText(statusResponse.content).status echo "Test status: ${testStatus}" } if (testStatus == 'FAILED') { error('StrikeOne test failed') } } } } ``` -------------------------------- ### Jenkins Pipeline for StrikeOne Test Execution Source: https://docs.strikeone.io/integrations/remote-test-execution This Jenkins pipeline script automates the execution of a StrikeOne vulnerability scan. It includes stages for cleaning the workspace, checking out code, and executing the scan with status checking. Ensure the 'nodejs_14.18.0' tool is configured in Jenkins and the 'so_api_token' credential is set up. ```groovy import groovy.json.JsonSlurperClassic node { env.NODEJS_HOME = "${tool 'nodejs_14.18.0'}" env.PATH = "${env.NODEJS_HOME}/bin:${env.PATH}" environment { SO_CREDENTIALS = credentials('so_api_token') } stage('Clean Workspace') { cleanWs() } stage('SCM') { checkout scm } stage('StrikeOne Admin Analysis') { withCredentials([string(credentialsId: 'so_api_token', variable: 'SO_API_TOKEN')]) { def toJson = { input -> groovy.json.JsonOutput.toJson(input) } def testBody = [ externalData: [ testName: 'Jenkins Test', parsedDomainId: '192079240', tool: 'owasp_zap' ] ] // EXECUTE VM TEST def testRes = httpRequest contentType: 'APPLICATION_JSON', httpMode: 'POST', requestBody: toJson(testBody), customHeaders: [[name:'Authorization', value: "Bearer $SO_API_TOKEN"]], url: 'https://assessment.strikeone.io/api/vm/tests/external/execute' def testJson = new JsonSlurperClassic().parseText(testRes.content) def testId = testJson.payload.testId def maximumChecks = 30 def checkTestStatus = { String test -> if (maximumChecks > 30) { echo "StrikeOne Vulnerability Management test took too long to complete." return true } sleep 60 def statusRes = httpRequest httpMode: 'GET', customHeaders: [[name:'Authorization', value: "Bearer ${SO_API_TOKEN}"]], url: "https://assessment.strikeone.io/api/vm/tests/external/status/${test}" def statusJson = new JsonSlurperClassic().parseText(statusRes.content) if (statusJson.payload.status == 'done') { echo "StrikeOne Vulnerability Management test completed." return true } if (statusJson.payload.status == 'failed') { error "StrikeOne Vulnerability Management test failed." } maximumChecks++ checkTestStatus(test) } checkTestStatus(testId) } } } ``` -------------------------------- ### Azure Pipelines CI Configuration Source: https://docs.strikeone.io/integrations/remote-test-execution-v2 Basic Azure Pipelines configuration for a CI build. This snippet sets up triggers, specifies the agent, and defines a variable for the repository name. ```yaml # Pipeline name name: CI-$(Build.BuildId) # Triggers trigger: branches: include: - main # Specify Agent pool: vmImage: 'ubuntu-latest' # Variables variables: REPO_NAME: $(Build.Repository.Name) # Obtain name of repository ``` -------------------------------- ### StrikeOne VM Test Flags Source: https://docs.strikeone.io/integrations/remote-test-execution-v2 Common flags for the execute_test.py script. These flags control user authentication, test identification, asset details, and test type. ```bash -ut, --usertoken User token from StrikeOne -tn, --testname Test name -an, --assetname Asset name -tt, --typetest Type of test (sast/dast) -t, --tool Tool to execute scan -d, --domain Domain to DAST test and assign vulnerabilities ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.