Centralised Agile PenTesting (CAPT) service is a Technical Leadership Programme (TLP 2021 cohort) project by Keith Tay, Toh Kian Hui and Soh Yu Ming. CAPT aims to integrate pentesting into Agile processes where code changes will automatically trigger pentesters to review and provide timely feedback through Jira issues on security vulnerabilities. This is a working POC of CAPT integration with ship.gov.sg Bitbucket and Jira to provide this automated service.
Automatic creation of pentesting cycle as Jira Epic
Automatic generation of code diff link for easy follow up on security findings and fixes
NPM depdendencies:
- axios
- knex
- pg
- Set DB configurations in
db/knexfile.js - Run DB migrations
knex migrate:latest - Run DB seed
knex seed:run --specific=sample.js - Provide dependencies using AWS Lambda layer
- Deploy
lambdasin AWS Lambda - Setup environment variables required by each of the lambdas (see
lambdasfolder) - Setup daily cron tab to call
check_epiclambda - Add
curl https://<code_change_lambda_url>?proj_code=<proj_code>in Bamboo to trigger CAPT service whenever there are code changes