serverless-neuvector
Serverless plugin for Neuvector.
Features
- Secure your project - scan vulnerabilities all over your project's library
- Currently supported runtimes: Node.js, Python, Java (more runtimes coming soon...)
- Works with the Serverless Framework
Requirements
- Python 2.7+
- NodeJS 10+
Quick Start
1. Install via npm:
npm install --save-dev serverless-neuvector2. Add serverless-neuvector to your serverless.yml:
In your project's serverless.yml file add the following entry to the plugins section: serverless-neuvector.
If there is no plugin section you will need to add it to the file.
It should look similar to this:
plugins: - serverless-neuvectorAnd you need to give parameters as following, to get connection with Neuvector scan core modules
custom: neuvector: stopDeployment: false ipAddress: "1.1.1.1" port: 10443 username: "ciuser" password: "ciuserpassword" projectname: "demo" path: "." tolerance: #Optional: If it is not set, high and medium will be set into 0 by default high: 5 medium: 30Note:
-
stopDeployment: this parameter defines whether NeuVector should stop the function deployment if the scan finds vulnerabilities which meet the stop criteria defined in the tolerance section. Selecting “true” will stop the deployment if the criteria is met.
-
ipAddress/port : this is the address/port of NeuVector Controller or its exposed REST API service. Make a note of the IP address of the host where the Allinone or Controller is running. Note: The default REST API port is 10443. This port must be exposed through the Allinone or Controller through a service in Kubernetes or a port map (e.g. - 10443:10443) in the Docker run or compose file.
-
username/password : this is username/password you created in NeuVector in order to authenticate to run the serverless scan. You can create a CI/CD user in NeuVector as seen below if you wish to limit the user to scanning functions. Assign global role as CI integration.
For directly work with Neuvector security product, a neuvector security key can be added as environment variableon. You should add an environment section on the function part.
functions: hello: handler: handler.yourApp_handler environment: nvsecKey: ${file(./nvsec.json):nvsecKey}3. Validate:
You can check wether you have successfully installed the plugin by running the serverless command line.
serverless --helpthe console should display neuvector as one of the plugins now available in your Serverless project.
4. Integration:
Library scan has already integrated into your serverless deployment process. It will work before your project deployed. And you can determine if block deployment when vulnerabilities found by "stopDeployment" in serverless.yml.
serverless deploy5. You can also execute the tool on the entire project:
serverless nv scan