Getting Started
On this page, you will find all the necessary information to dive into the Security Bot (SecBot) project to
set up the service and the documentation generator it uses,
configure and integrate it with your service,
ensure communication via API, and
get familiar with the main concepts and limits.
Yet, we provide detailed descriptions and insights on separate pages of this documentation.
Prerequisites
Since SecBot is a Python application running in a container on Kubernetes, make sure that the relevant components and their packages are installed and available in your local environment.
Kubernetes-related:
Container registry, for example Docker Hub
and other Containerization tools, for example Docker Compose
Python-related:
Additionally, we employ
Deployment
Follow these general steps to install and build the SecBot
Clone the repository:
visit the project’s repository to copy the URL under Clone
run the
git clone
command to create a local copy
$ git clone path/to/project.git
Build and run the SecBot service.
$ docker-compose up --build
Service Configuration
The /.env.dev
file defines the location, keys, and other parameters of the
internal and external units SecBot communicates with: queues, databases,
Inputs, Scans, Outputs, and Notifiers.
Review this file and make the necessary changes to it based on your environment’s peculiarities, such as the variables within
GITLAB_CONFIGS
.Save the file and rebuild the service.
$ docker-compose up --build
For test and other reasons, you can redefine any parameter in the
/.env.override
file for your separate sandbox environment. To do this,
Rename the original file of
/.env.override.example
accordinglySpecify the new values of existing variables there, for example modify
DEFECTDOJO__TOKEN=defectdojo_token
# Excerpt from .env.override
...
DEFECTDOJO__TOKEN=my_personal_token
...
Save the file.
Rebuild the service.
$ docker-compose up --build
Note
For more detailed information on this topic, see Configuration.
Workflow Configuration
The /app/config.yml
file defines the policies SecBot follows in its work:
which Scans to launch to check input entities of a particular type, which
Outputs to use to aggregate the Scans’ results, and so on. You can take the
original version and use it as is or update the file according to your needs.
In the latter case, you will need stop and restart the service.
$ docker-compose stop
$ docker-compose up -d
Note
For more detailed information on this topic, see Configuration.
Integration
Since SecBot communicates with different units via their respective APIs and triggers in response to specific input events, you are expected to
obtain authorization with these units (Inputs, Outputs, and Notifiers) and
specify triggers on your development and distribution platform (Input), such as system hooks (or webhooks) for GitLab.