ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
Amrityam_Rout
Captain Captain
Captain
‎2019-10-04 18:09
868 views

Webinspect integration in CI/CD pipeline

I need to integrate Webinspect scan in to project' CI/CD pipeline and we have nearly 100 projects/web applications.I have explored the Webinspect Rest APIS for this integration.Now the problem is if I have one Webinspect license , then how to manage scan requests coming from multiple project's CI/CD pipeline?
As per my knowledge Webinspect can run only two concurrent scans at a time.

In this case how to make this integration more scalable when multiple scan requests coming from multiple project's CI/CD pipeline.
Labels (2)
Labels
0 Likes
Report Inappropriate Content
2 Replies
ebell
Micro Focus Expert
Micro Focus Expert
‎2019-10-04 19:29

In this scenario it sounds like WebInspect Enterprise would be a better fit. With just WebInspect and one license it will be a challenge with scheduling when to send scans.

0 Likes
Report Inappropriate Content
HansEnders
Micro Focus Expert
Micro Focus Expert
‎2019-10-16 15:48

Ethan is correct that WebInspect Enterprise (and its API) is optimal for managing and scheduling multiple scans.  If you are staying with the WebInspect (desktop) API, then you would need to build your own "scheduling" into your CI scripts.  There are API endpoints for Scan Status and other information that your script could use to hold off on subsequent scan requests.  The following POSTman/Python collection of suggested WebInspect API scripts could provide you a baseline to build your WI API scripts.

Furthermore, you might be able to save most scan times by utilizing Workflow-driven scans for most CI work, and then periodically operate a complete-site scan.  The Proxy endpoints and WISwag (for REST API targets) endpoints in the WI API can provide you further methods to replicate your functional testing scripts as your WebInspect security tests.

If Login Macros are to be used for authentication, you may want to review the Parameterized Login feature within the Login Macro Recorder.  These could permit you to re-use your macros and change the usernames/passwords/hosts dynamically when you call the scans (see API option for Overrides).

 

https://github.com/fortify

>>  WebInspectAutomation

>>>> https://github.com/fortify/WebInspectAutomation


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.