Jit offers the option to trigger runtime scanning tools when a new code deployment is detected. Scanning runtime environments every time a deployment occurs reduces the chances of security issues finding their way onto runtime environments.
Deployment-based scanning is available for the following security requirements—
- Deployment via Github actions Jit deployment scanning currently only supports deployments via Github actions. Support for more deployment services is coming soon. In order to use deployment scanning, a deployment job must be included in the Github actions workflow. Jit looks for the
environments:<name>tag in the workflow YAML to determine if a deployment has occurred and will look for the environment name to know which runtime environment to scan. Learn more about deployments with Github actions.
name: 'Deploy to staging' on: push: branches: - dev - main pull_request: branches: - main jobs: deploy-staging: environment: staging runs-on: ubuntu-latest steps: - uses: actions/checkout@v2
- Slack integration is required to enable deployment scanning.
When activating one of the supported security controls, set the trigger in the control configuration to Scan on deployment:
Environment name enter the environment defined in the deployment YAML on Github actions. Jit needs an exact match between the environment name defined on Jit and on Github Actions to trigger a scan.
Note - Environment names are global. When you change it in any control configuration, it will change on all controls.
When a deployment scan detects findings, it will report them in two places:
- The pipelines page, under a Deployment pipeline.
- A Slack notification, sent to the selected channel under Deployments in the Slack integration configuration:
Updated about 2 months ago