diff --git a/README.md b/README.md index c6a2ec1..982a655 100644 --- a/README.md +++ b/README.md @@ -216,6 +216,19 @@ cyclonedx-cli validate --input-file armis-cli-linux-amd64.tar.gz.sbom.cdx.json ### Set up authentication +#### JWT Authentication (Recommended) + +Obtain client credentials from the VIPR external API screen in the Armis platform. + +```bash +export ARMIS_CLIENT_ID="your-client-id" +export ARMIS_CLIENT_SECRET="your-client-secret" +``` + +The tenant ID is automatically extracted from the JWT token — no need to set it separately. + +#### Basic Authentication (Legacy) + ```bash export ARMIS_API_TOKEN="your-api-token" export ARMIS_TENANT_ID="your-tenant-id" @@ -242,8 +255,11 @@ armis-cli scan image nginx:latest #### Authentication Flags ```text ---token string API token for authentication (env: ARMIS_API_TOKEN) ---tenant-id string Tenant identifier (env: ARMIS_TENANT_ID) +--client-id string Client ID for JWT authentication (env: ARMIS_CLIENT_ID) [recommended] +--client-secret string Client secret for JWT authentication (env: ARMIS_CLIENT_SECRET) [recommended] +--region string Armis cloud region (env: ARMIS_REGION) +--token string API token for Basic authentication (env: ARMIS_API_TOKEN) [legacy] +--tenant-id string Tenant identifier for Basic auth (env: ARMIS_TENANT_ID) [legacy] ``` #### General Flags @@ -266,17 +282,17 @@ armis-cli scan image nginx:latest Scans a local directory, creates a tarball, and uploads to Armis Cloud for analysis. ```bash -armis-cli scan repo [path] --tenant-id [tenant-id] +armis-cli scan repo [path] ``` **Size Limit**: 2GB **Example**: ```bash -armis-cli scan repo ./my-app --tenant-id my-tenant --format json --fail-on HIGH,CRITICAL +armis-cli scan repo ./my-app --format json --fail-on HIGH,CRITICAL # Generate SBOM and VEX documents -armis-cli scan repo ./my-app --tenant-id my-tenant --sbom --vex +armis-cli scan repo ./my-app --sbom --vex ``` ### Scan Container Image @@ -284,8 +300,8 @@ armis-cli scan repo ./my-app --tenant-id my-tenant --sbom --vex Scans a container image (local or remote) or a tarball. ```bash -armis-cli scan image [image-name] --tenant-id [tenant-id] -armis-cli scan image --tarball [path-to-tarball] --tenant-id [tenant-id] +armis-cli scan image [image-name] +armis-cli scan image --tarball [path-to-tarball] ``` **Size Limit**: 5GB @@ -293,11 +309,11 @@ armis-cli scan image --tarball [path-to-tarball] --tenant-id [tenant-id] ```bash # Scan remote image -armis-cli scan image nginx:latest --tenant-id my-tenant +armis-cli scan image nginx:latest # Scan local image -armis-cli scan image my-app:v1.0.0 --tenant-id my-tenant +armis-cli scan image my-app:v1.0.0 # Scan tarball -armis-cli scan image --tarball ./image.tar --tenant-id my-tenant +armis-cli scan image --tarball ./image.tar ``` #### Pull Policy @@ -400,8 +416,10 @@ jobs: **Required secrets:** -- `api-token`: Armis API token for authentication -- `tenant-id`: Tenant identifier for Armis Cloud +- `api-token`: Armis API token for authentication (legacy — JWT support coming soon) +- `tenant-id`: Tenant identifier for Armis Cloud (legacy — not needed with JWT) + +> **Note:** The reusable workflow currently accepts Basic auth secrets. For JWT authentication in CI, set `ARMIS_CLIENT_ID` and `ARMIS_CLIENT_SECRET` as environment variables directly in your workflow steps (see [Manual Installation](#option-3-manual-installation) below). #### Option 2: GitHub Action @@ -452,10 +470,10 @@ jobs: curl -sSL https://raw.githubusercontent.com/ArmisSecurity/armis-cli/main/scripts/install.sh | bash - name: Scan Repository env: - ARMIS_API_TOKEN: ${{ secrets.ARMIS_API_TOKEN }} + ARMIS_CLIENT_ID: ${{ secrets.ARMIS_CLIENT_ID }} + ARMIS_CLIENT_SECRET: ${{ secrets.ARMIS_CLIENT_SECRET }} run: | armis-cli scan repo . \ - --tenant-id "${{ secrets.ARMIS_TENANT_ID }}" \ --format sarif \ --fail-on HIGH,CRITICAL \ > results.sarif @@ -475,10 +493,10 @@ security-scan: - apk add --no-cache curl bash - curl -sSL https://raw.githubusercontent.com/ArmisSecurity/armis-cli/main/scripts/install.sh | bash script: - - armis-cli scan repo . --tenant-id "$ARMIS_TENANT_ID" --format json --fail-on CRITICAL + - armis-cli scan repo . --format json --fail-on CRITICAL variables: - ARMIS_API_TOKEN: $ARMIS_API_TOKEN - ARMIS_TENANT_ID: $ARMIS_TENANT_ID + ARMIS_CLIENT_ID: $ARMIS_CLIENT_ID + ARMIS_CLIENT_SECRET: $ARMIS_CLIENT_SECRET ``` ### Jenkins @@ -487,15 +505,15 @@ security-scan: pipeline { agent any environment { - ARMIS_API_TOKEN = credentials('armis-api-token') - ARMIS_TENANT_ID = credentials('armis-tenant-id') + ARMIS_CLIENT_ID = credentials('armis-client-id') + ARMIS_CLIENT_SECRET = credentials('armis-client-secret') } stages { stage('Security Scan') { steps { sh ''' curl -sSL https://raw.githubusercontent.com/ArmisSecurity/armis-cli/main/scripts/install.sh | bash - armis-cli scan repo . --tenant-id "$ARMIS_TENANT_ID" --format junit > scan-results.xml + armis-cli scan repo . --format junit > scan-results.xml ''' junit 'scan-results.xml' } @@ -516,9 +534,10 @@ steps: curl -sSL https://raw.githubusercontent.com/ArmisSecurity/armis-cli/main/scripts/install.sh | bash displayName: 'Install Armis CLI' - script: | - armis-cli scan repo . --tenant-id "$(ARMIS_TENANT_ID)" --format junit > $(Build.ArtifactStagingDirectory)/scan-results.xml + armis-cli scan repo . --format junit > $(Build.ArtifactStagingDirectory)/scan-results.xml env: - ARMIS_API_TOKEN: $(ARMIS_API_TOKEN) + ARMIS_CLIENT_ID: $(ARMIS_CLIENT_ID) + ARMIS_CLIENT_SECRET: $(ARMIS_CLIENT_SECRET) displayName: 'Run Security Scan' - task: PublishTestResults@2 inputs: @@ -543,7 +562,7 @@ jobs: - run: name: Run Security Scan command: | - armis-cli scan repo . --tenant-id "$ARMIS_TENANT_ID" --format json --fail-on HIGH,CRITICAL + armis-cli scan repo . --format json --fail-on HIGH,CRITICAL workflows: version: 2 scan: @@ -563,19 +582,29 @@ pipelines: script: - apk add --no-cache curl bash - curl -sSL https://raw.githubusercontent.com/ArmisSecurity/armis-cli/main/scripts/install.sh | bash - - armis-cli scan repo . --tenant-id "$ARMIS_TENANT_ID" --format json --fail-on CRITICAL + - armis-cli scan repo . --format json --fail-on CRITICAL ``` --- ## Environment Variables -**Authentication:** +**JWT Authentication (Recommended):** + +| Variable | Description | +|----------|-------------| +| `ARMIS_CLIENT_ID` | Client ID for JWT authentication (from VIPR external API screen) | +| `ARMIS_CLIENT_SECRET` | Client secret for JWT authentication | +| `ARMIS_REGION` | Armis cloud region (equivalent to `--region` flag) | + +When using JWT authentication, the tenant ID is automatically extracted from the token. + +**Basic Authentication (Legacy):** | Variable | Description | |----------|-------------| -| `ARMIS_API_TOKEN` | API token for authentication | -| `ARMIS_TENANT_ID` | Tenant identifier | +| `ARMIS_API_TOKEN` | API token for Basic authentication | +| `ARMIS_TENANT_ID` | Tenant identifier (required only with Basic auth) | **General:** @@ -592,8 +621,9 @@ pipelines: - Repositories: 2GB - Container Images: 5GB - **Authentication Security**: - - API tokens should be stored securely and never committed to version control - - Rotate tokens periodically + - Client credentials and API tokens should be stored securely and never committed to version control + - Use JWT authentication (client ID/secret) for production — it supports automatic token refresh and does not require a separate tenant ID + - Rotate credentials periodically - Credentials are never logged or exposed in output - **Secure Transport**: All API communication uses HTTPS - **Automatic Cleanup**: Temporary files are cleaned up after use diff --git a/docs/CI-INTEGRATION.md b/docs/CI-INTEGRATION.md index 0c4272c..44df91e 100644 --- a/docs/CI-INTEGRATION.md +++ b/docs/CI-INTEGRATION.md @@ -61,9 +61,9 @@ That's it! This will: # Install curl -sSL https://raw.githubusercontent.com/ArmisSecurity/armis-cli/main/scripts/install.sh | bash -# Run scan -export ARMIS_API_TOKEN="your-token" -export ARMIS_TENANT_ID="your-tenant" +# Run scan (JWT auth - recommended) +export ARMIS_CLIENT_ID="your-client-id" +export ARMIS_CLIENT_SECRET="your-client-secret" armis-cli scan repo . --format sarif --fail-on CRITICAL ``` @@ -71,24 +71,35 @@ armis-cli scan repo . --format sarif --fail-on CRITICAL ## Authentication -The Armis CLI authenticates using an API token and tenant identifier. +The Armis CLI supports two authentication methods. JWT authentication is recommended. -**Required credentials:** +### JWT Authentication (Recommended) + +Obtain client credentials from the VIPR external API screen in the Armis platform. | Credential | Environment Variable | CLI Flag | Description | |------------|---------------------|----------|-------------| -| API Token | `ARMIS_API_TOKEN` | `--token` | API token for authentication | -| Tenant ID | `ARMIS_TENANT_ID` | `--tenant-id` | Tenant identifier | +| Client ID | `ARMIS_CLIENT_ID` | `--client-id` | Client ID for JWT authentication | +| Client Secret | `ARMIS_CLIENT_SECRET` | `--client-secret` | Client secret for JWT authentication | + +The tenant ID is automatically extracted from the JWT token — no need to set it separately. **Example:** ```bash -export ARMIS_API_TOKEN="your-api-token" -export ARMIS_TENANT_ID="your-tenant-id" +export ARMIS_CLIENT_ID="your-client-id" +export ARMIS_CLIENT_SECRET="your-client-secret" armis-cli scan repo . ``` +### Basic Authentication (Legacy) + +| Credential | Environment Variable | CLI Flag | Description | +|------------|---------------------|----------|-------------| +| API Token | `ARMIS_API_TOKEN` | `--token` | API token for authentication | +| Tenant ID | `ARMIS_TENANT_ID` | `--tenant-id` | Tenant identifier | + --- ## GitHub Actions @@ -145,8 +156,10 @@ jobs: | Secret | Description | |--------|-------------| -| `api-token` | Armis API token | -| `tenant-id` | Tenant identifier for Armis Cloud | +| `api-token` | Armis API token (Basic auth) | +| `tenant-id` | Tenant identifier (Basic auth) | + +> **Note:** The reusable workflow currently accepts Basic auth secrets only. For JWT authentication (recommended), use [Option 3: Manual Installation](#option-3-manual-installation) with `ARMIS_CLIENT_ID` and `ARMIS_CLIENT_SECRET` environment variables. #### Required Permissions @@ -258,10 +271,10 @@ jobs: - name: Run Security Scan env: - ARMIS_API_TOKEN: ${{ secrets.ARMIS_API_TOKEN }} + ARMIS_CLIENT_ID: ${{ secrets.ARMIS_CLIENT_ID }} + ARMIS_CLIENT_SECRET: ${{ secrets.ARMIS_CLIENT_SECRET }} run: | armis-cli scan repo . \ - --tenant-id "${{ secrets.ARMIS_TENANT_ID }}" \ --format sarif \ --fail-on HIGH,CRITICAL \ > results.sarif @@ -397,10 +410,10 @@ jobs: - name: Run Security Scan with SBOM/VEX env: - ARMIS_API_TOKEN: ${{ secrets.ARMIS_API_TOKEN }} + ARMIS_CLIENT_ID: ${{ secrets.ARMIS_CLIENT_ID }} + ARMIS_CLIENT_SECRET: ${{ secrets.ARMIS_CLIENT_SECRET }} run: | armis-cli scan repo . \ - --tenant-id "${{ secrets.ARMIS_TENANT_ID }}" \ --format sarif \ --sbom --vex \ --sbom-output ./artifacts/sbom.json \ @@ -532,8 +545,8 @@ security-scan: script: - armis-cli scan repo . --format json --fail-on CRITICAL variables: - ARMIS_API_TOKEN: $ARMIS_API_TOKEN - ARMIS_TENANT_ID: $ARMIS_TENANT_ID + ARMIS_CLIENT_ID: $ARMIS_CLIENT_ID + ARMIS_CLIENT_SECRET: $ARMIS_CLIENT_SECRET ``` Configure credentials as [protected CI/CD variables](https://docs.gitlab.com/ee/ci/variables/#protected-cicd-variables). @@ -547,8 +560,8 @@ pipeline { agent any environment { - ARMIS_API_TOKEN = credentials('armis-api-token') - ARMIS_TENANT_ID = credentials('armis-tenant-id') + ARMIS_CLIENT_ID = credentials('armis-client-id') + ARMIS_CLIENT_SECRET = credentials('armis-client-secret') } stages { @@ -588,7 +601,7 @@ pool: vmImage: 'ubuntu-latest' variables: - - group: armis-credentials # Contains ARMIS_API_TOKEN and ARMIS_TENANT_ID + - group: armis-credentials # Contains ARMIS_CLIENT_ID and ARMIS_CLIENT_SECRET steps: - script: | @@ -602,8 +615,8 @@ steps: > $(Build.ArtifactStagingDirectory)/scan-results.xml displayName: 'Run Security Scan' env: - ARMIS_API_TOKEN: $(ARMIS_API_TOKEN) - ARMIS_TENANT_ID: $(ARMIS_TENANT_ID) + ARMIS_CLIENT_ID: $(ARMIS_CLIENT_ID) + ARMIS_CLIENT_SECRET: $(ARMIS_CLIENT_SECRET) - task: PublishTestResults@2 inputs: @@ -643,7 +656,7 @@ workflows: security: jobs: - security-scan: - context: armis-credentials # Contains ARMIS_API_TOKEN, ARMIS_TENANT_ID + context: armis-credentials # Contains ARMIS_CLIENT_ID, ARMIS_CLIENT_SECRET ``` Configure secrets using [Contexts](https://circleci.com/docs/contexts/). @@ -675,7 +688,7 @@ pipelines: - armis-cli scan repo . --format json --fail-on CRITICAL ``` -Configure `ARMIS_API_TOKEN` and `ARMIS_TENANT_ID` as [secured repository variables](https://support.atlassian.com/bitbucket-cloud/docs/variables-and-secrets/). +Configure `ARMIS_CLIENT_ID` and `ARMIS_CLIENT_SECRET` as [secured repository variables](https://support.atlassian.com/bitbucket-cloud/docs/variables-and-secrets/). --- @@ -701,20 +714,21 @@ Configure `ARMIS_API_TOKEN` and `ARMIS_TENANT_ID` as [secured repository variabl #### "tenant ID required" -- You must provide `--tenant-id` along with `--token` -- Set the `ARMIS_TENANT_ID` environment variable or secret +- This only applies to Basic (legacy) authentication +- Provide `--tenant-id` along with `--token`, or switch to JWT authentication (recommended) where tenant ID is extracted automatically #### "API token not set" -- Ensure `ARMIS_API_TOKEN` is configured as a secret +- If using JWT: ensure `ARMIS_CLIENT_ID` and `ARMIS_CLIENT_SECRET` are configured as secrets +- If using Basic auth: ensure `ARMIS_API_TOKEN` is configured as a secret - Check that the secret is accessible to the workflow/job - Verify the secret name matches exactly (case-sensitive) #### "Invalid token" or "Unauthorized" -- Verify the token is valid and not expired -- Check that the tenant ID matches the token's tenant -- Ensure the token has sufficient permissions +- Verify the credentials are valid and not expired +- If using Basic auth, check that the tenant ID matches the token's tenant +- Ensure the credentials have sufficient permissions ### Timeout Issues @@ -753,10 +767,11 @@ The reusable workflow's "Check for Failures" step differentiates between: ### Secret Management - **Never commit credentials** to version control +- Use **JWT authentication** (client ID/secret) for production — it supports automatic token refresh - Use **organization-level secrets** when possible for centralized management - Use **environment-specific credentials** for production vs development -- Rotate API tokens periodically -- Store `api-token` and `tenant-id` as separate secrets +- Rotate credentials periodically +- Store client ID and client secret as separate secrets ### Permissions diff --git a/docs/CI-SETUP.md b/docs/CI-SETUP.md index 9779caf..528e8dc 100644 --- a/docs/CI-SETUP.md +++ b/docs/CI-SETUP.md @@ -30,17 +30,24 @@ The pipeline consists of two jobs: ### Required Secrets -The pipeline requires one GitHub secret: +#### JWT Authentication (Recommended) -- `ARMIS_API_TOKEN`: API token for authenticating with Armis Cloud +Obtain credentials from the VIPR external API screen in the Armis platform: -To set this up: +- `ARMIS_CLIENT_ID`: Client ID for JWT authentication +- `ARMIS_CLIENT_SECRET`: Client secret for JWT authentication + +#### Basic Authentication (Legacy) + +- `ARMIS_API_TOKEN`: API token for Basic authentication +- `ARMIS_TENANT_ID`: Tenant identifier (not needed with JWT) + +To set up secrets: 1. Go to your repository settings 2. Navigate to Secrets and variables → Actions 3. Click "New repository secret" -4. Name: `ARMIS_API_TOKEN` -5. Value: Your Armis Cloud API token +4. Add `ARMIS_CLIENT_ID` and `ARMIS_CLIENT_SECRET` (or `ARMIS_API_TOKEN` for legacy auth) ### Severity Thresholds @@ -68,7 +75,8 @@ make scan Or manually: ```bash -export ARMIS_API_TOKEN="your-token" +export ARMIS_CLIENT_ID="your-client-id" +export ARMIS_CLIENT_SECRET="your-client-secret" ./bin/armis scan repo . --fail-on CRITICAL,HIGH ``` @@ -135,14 +143,15 @@ on: ## Troubleshooting -### Pipeline Fails with "ARMIS_API_TOKEN not set" +### Pipeline Fails with Authentication Errors -- Ensure the secret is configured in repository settings -- Check that the secret name matches exactly: `ARMIS_API_TOKEN` +- For JWT (recommended): ensure `ARMIS_CLIENT_ID` and `ARMIS_CLIENT_SECRET` are configured in repository settings +- For Basic auth (legacy): ensure `ARMIS_API_TOKEN` is configured +- Check that secret names match exactly (case-sensitive) ### Pipeline Fails with "API connection error" -- Verify the API token is valid +- Verify the credentials are valid - Check if Armis Cloud API is accessible from GitHub Actions runners - Review the API endpoint configuration diff --git a/docs/FEATURES.md b/docs/FEATURES.md index 7ddd238..01b8914 100644 --- a/docs/FEATURES.md +++ b/docs/FEATURES.md @@ -134,9 +134,11 @@ Generate SBOM and VEX as part of your CI pipeline: ```yaml # GitHub Actions example - name: Security Scan with SBOM + env: + ARMIS_CLIENT_ID: ${{ secrets.ARMIS_CLIENT_ID }} + ARMIS_CLIENT_SECRET: ${{ secrets.ARMIS_CLIENT_SECRET }} run: | armis-cli scan repo . \ - --tenant-id "${{ secrets.ARMIS_TENANT_ID }}" \ --sbom --vex \ --sbom-output ./artifacts/sbom.json \ --vex-output ./artifacts/vex.json @@ -288,14 +290,16 @@ armis-cli scan repo . \ ### Environment Variables -**Authentication (choose one method):** +**Authentication:** + +JWT authentication is recommended. Obtain JWT credentials from the VIPR external API screen in the Armis platform. | Variable | Description | |----------|-------------| -| `ARMIS_CLIENT_ID` | Client ID for JWT authentication | -| `ARMIS_CLIENT_SECRET` | Client secret for JWT authentication | -| `ARMIS_API_TOKEN` | API token for Basic authentication | -| `ARMIS_TENANT_ID` | Tenant identifier (required for Basic auth only) | +| `ARMIS_CLIENT_ID` | Client ID for JWT authentication (recommended) | +| `ARMIS_CLIENT_SECRET` | Client secret for JWT authentication (recommended) | +| `ARMIS_API_TOKEN` | API token for Basic authentication (legacy) | +| `ARMIS_TENANT_ID` | Tenant identifier (legacy, not needed with JWT) | | `ARMIS_API_URL` | Override base URL for Armis API and authentication (advanced) | | `ARMIS_REGION` | Authentication region override (advanced; corresponds to `--region` flag) | diff --git a/docs/ci-examples/Jenkinsfile b/docs/ci-examples/Jenkinsfile index d8f78d9..446dc6d 100644 --- a/docs/ci-examples/Jenkinsfile +++ b/docs/ci-examples/Jenkinsfile @@ -1,10 +1,11 @@ pipeline { agent any - + environment { - ARMIS_API_TOKEN = credentials('armis-api-token') + ARMIS_CLIENT_ID = credentials('armis-client-id') + ARMIS_CLIENT_SECRET = credentials('armis-client-secret') } - + stages { stage('Install Armis CLI') { steps { @@ -13,7 +14,7 @@ pipeline { ''' } } - + stage('Security Scan') { steps { sh ''' @@ -27,7 +28,7 @@ pipeline { } } } - + post { failure { echo 'Security scan found critical vulnerabilities!' diff --git a/docs/ci-examples/README.md b/docs/ci-examples/README.md index 358a88e..ef6b673 100644 --- a/docs/ci-examples/README.md +++ b/docs/ci-examples/README.md @@ -25,12 +25,23 @@ For comprehensive documentation including advanced patterns and troubleshooting, ## Required Secrets -All examples require these secrets to be configured in your CI platform: +All examples require authentication secrets to be configured in your CI platform. + +**JWT Authentication (Recommended):** + +Obtain credentials from the VIPR external API screen in the Armis platform. + +| Secret | Description | +|--------|-------------| +| `ARMIS_CLIENT_ID` | Client ID for JWT authentication | +| `ARMIS_CLIENT_SECRET` | Client secret for JWT authentication | + +**Basic Authentication (Legacy):** | Secret | Description | |--------|-------------| -| `ARMIS_API_TOKEN` | Your Armis API token for authentication | -| `ARMIS_TENANT_ID` | Your Armis tenant identifier | +| `ARMIS_API_TOKEN` | API token for Basic authentication | +| `ARMIS_TENANT_ID` | Tenant identifier (not needed with JWT) | ## SBOM and VEX Generation @@ -38,7 +49,6 @@ Generate Software Bill of Materials and Vulnerability Exploitability eXchange do ```bash armis-cli scan repo . \ - --tenant-id "$ARMIS_TENANT_ID" \ --sbom --vex \ --sbom-output ./artifacts/sbom.json \ --vex-output ./artifacts/vex.json diff --git a/docs/ci-examples/azure-pipelines.yml b/docs/ci-examples/azure-pipelines.yml index 9a2a184..2e94c2e 100644 --- a/docs/ci-examples/azure-pipelines.yml +++ b/docs/ci-examples/azure-pipelines.yml @@ -1,3 +1,4 @@ +--- trigger: branches: include: @@ -8,23 +9,25 @@ pool: vmImage: 'ubuntu-latest' variables: - ARMIS_API_TOKEN: $(ARMIS_API_TOKEN) + ARMIS_CLIENT_ID: $(ARMIS_CLIENT_ID) + ARMIS_CLIENT_SECRET: $(ARMIS_CLIENT_SECRET) steps: -- script: | - curl -sSL https://raw.githubusercontent.com/ArmisSecurity/armis-cli/main/scripts/install.sh | bash - displayName: 'Install Armis CLI' + - script: | + curl -sSL https://raw.githubusercontent.com/ArmisSecurity/armis-cli/main/scripts/install.sh | bash + displayName: 'Install Armis CLI' -- script: | - armis-cli scan repo . --format junit --fail-on HIGH,CRITICAL > $(Build.ArtifactStagingDirectory)/scan-results.xml - displayName: 'Run Security Scan' - env: - ARMIS_API_TOKEN: $(ARMIS_API_TOKEN) + - script: | + armis-cli scan repo . --format junit --fail-on HIGH,CRITICAL > $(Build.ArtifactStagingDirectory)/scan-results.xml + displayName: 'Run Security Scan' + env: + ARMIS_CLIENT_ID: $(ARMIS_CLIENT_ID) + ARMIS_CLIENT_SECRET: $(ARMIS_CLIENT_SECRET) -- task: PublishTestResults@2 - condition: always() - inputs: - testResultsFormat: 'JUnit' - testResultsFiles: '**/scan-results.xml' - failTaskOnFailedTests: true - displayName: 'Publish Scan Results' + - task: PublishTestResults@2 + condition: always() + inputs: + testResultsFormat: 'JUnit' + testResultsFiles: '**/scan-results.xml' + failTaskOnFailedTests: true + displayName: 'Publish Scan Results' diff --git a/docs/ci-examples/circleci-config.yml b/docs/ci-examples/circleci-config.yml index ee4d982..6c7d3c4 100644 --- a/docs/ci-examples/circleci-config.yml +++ b/docs/ci-examples/circleci-config.yml @@ -1,24 +1,26 @@ +--- version: 2.1 jobs: security-scan: docker: - image: cimg/base@sha256:15eda1bafc1ec89dd277633d7fbe63b71a4572881685697b9f478d2f7a9a0c4d - + steps: - checkout - + - run: name: Install Armis CLI command: | curl -sSL https://raw.githubusercontent.com/ArmisSecurity/armis-cli/main/scripts/install.sh | bash - + - run: name: Run Security Scan command: | armis-cli scan repo . --format json --fail-on HIGH,CRITICAL environment: - ARMIS_API_TOKEN: ${ARMIS_API_TOKEN} + ARMIS_CLIENT_ID: ${ARMIS_CLIENT_ID} + ARMIS_CLIENT_SECRET: ${ARMIS_CLIENT_SECRET} workflows: version: 2 diff --git a/docs/ci-examples/github-actions-pr-scan.yml b/docs/ci-examples/github-actions-pr-scan.yml index 0474c2b..cbd5469 100644 --- a/docs/ci-examples/github-actions-pr-scan.yml +++ b/docs/ci-examples/github-actions-pr-scan.yml @@ -1,3 +1,4 @@ +--- # GitHub Actions - PR Scanning with Changed Files # # This workflow scans only the files changed in a pull request for faster feedback. @@ -8,7 +9,11 @@ # - Focused results on PR changes # - Excludes test files that may contain intentional security patterns # -# Required secrets: +# Required secrets (JWT - recommended): +# - ARMIS_CLIENT_ID: Client ID from VIPR external API screen +# - ARMIS_CLIENT_SECRET: Client secret from VIPR external API screen +# +# Legacy secrets (Basic auth): # - ARMIS_API_TOKEN: Your Armis API token # - ARMIS_TENANT_ID: Your Armis tenant identifier diff --git a/docs/ci-examples/github-actions-reusable.yml b/docs/ci-examples/github-actions-reusable.yml index 916ef25..9dc07ee 100644 --- a/docs/ci-examples/github-actions-reusable.yml +++ b/docs/ci-examples/github-actions-reusable.yml @@ -1,3 +1,4 @@ +--- # GitHub Actions - Reusable Workflow (Recommended) # # This is the simplest way to integrate Armis security scanning. @@ -8,6 +9,9 @@ # - Artifact storage # # Required secrets: +# The reusable workflow currently accepts Basic auth secrets (api-token/tenant-id). +# For JWT authentication (recommended), use manual installation instead. +# # - ARMIS_API_TOKEN: Your Armis API token # - ARMIS_TENANT_ID: Your Armis tenant identifier diff --git a/docs/ci-examples/github-actions-scheduled.yml b/docs/ci-examples/github-actions-scheduled.yml index 3153add..763ce7d 100644 --- a/docs/ci-examples/github-actions-scheduled.yml +++ b/docs/ci-examples/github-actions-scheduled.yml @@ -1,3 +1,4 @@ +--- # GitHub Actions - Scheduled Security Scan # # This workflow runs comprehensive security scans on a schedule for ongoing monitoring. @@ -8,7 +9,11 @@ # - Detecting vulnerabilities in dependencies (new CVEs) # - Compliance reporting # -# Required secrets: +# Required secrets (JWT - recommended): +# - ARMIS_CLIENT_ID: Client ID from VIPR external API screen +# - ARMIS_CLIENT_SECRET: Client secret from VIPR external API screen +# +# Legacy secrets (Basic auth): # - ARMIS_API_TOKEN: Your Armis API token # - ARMIS_TENANT_ID: Your Armis tenant identifier diff --git a/docs/ci-examples/github-actions.yml b/docs/ci-examples/github-actions.yml index ffd0a33..2c88bc0 100644 --- a/docs/ci-examples/github-actions.yml +++ b/docs/ci-examples/github-actions.yml @@ -1,9 +1,14 @@ +--- # GitHub Actions - Direct Action Usage # # This example uses the Armis CLI GitHub Action directly. # For the recommended reusable workflow approach, see github-actions-reusable.yml # -# Required secrets: +# Required secrets (JWT - recommended): +# - ARMIS_CLIENT_ID: Client ID from VIPR external API screen +# - ARMIS_CLIENT_SECRET: Client secret from VIPR external API screen +# +# Legacy secrets (Basic auth): # - ARMIS_API_TOKEN: Your Armis API token # - ARMIS_TENANT_ID: Your Armis tenant identifier diff --git a/docs/ci-examples/gitlab-ci.yml b/docs/ci-examples/gitlab-ci.yml index 2b104be..c3e01f6 100644 --- a/docs/ci-examples/gitlab-ci.yml +++ b/docs/ci-examples/gitlab-ci.yml @@ -1,20 +1,22 @@ +--- stages: - security security-scan: stage: security image: alpine:latest - + before_script: - apk add --no-cache curl bash docker - + script: - curl -sSL https://raw.githubusercontent.com/ArmisSecurity/armis-cli/main/scripts/install.sh | bash - armis-cli scan repo . --format json --fail-on HIGH,CRITICAL - + variables: - ARMIS_API_TOKEN: $ARMIS_API_TOKEN - + ARMIS_CLIENT_ID: $ARMIS_CLIENT_ID + ARMIS_CLIENT_SECRET: $ARMIS_CLIENT_SECRET + only: - main - merge_requests