Plan Workflow Modifications

Overview

Jit's Open DevSecOps platform offers plan workflow customizations, empowering security champions to tailor security plans according to their needs.

This feature enables you to address custom risks and align with your tech stack and development processes.

Modifications are currently supported with Semgrep Python SAST scanning and KICS IaC Misconfigurations scaning.

🚧

Contact Jit for assistance before using this feature.

Contact us over a shared Slack channel, our platform chat, or here.

Instructions

At the end of your jit-plan.yml file in your Jit centralized repo, add an override section. The examples below show how to exclude running specific tests (checks) across your entire organization:

override:
  workflows:
    sast:
      jobs:
        static-code-analysis-python-semgrep:
          steps:
          - name: Run semgrep python
            uses: registry.jit.io/control-semgrep-alpine:latest
            with:
              args: --json --config=/semgrep-python-config.yml --metrics=off --severity=ERROR --exclude-rule python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query ${WORK_DIR:-.}
override:
  workflows:
    iac-misconfiguration-detection:
      jobs:
        iac-misconfig-detection-terraform:
          steps:
          - name: Run KICS (terraform)
            uses: registry.jit.io/control-kics-alpine:latest
            with:
              args: scan -t Terraform -p ${WORK_DIR:-.} -o /code/jit-report/results.json -f json --config /terraform-config.yaml --disable-secrets --exclude-queries 6726dcc0-5ff5-459d-b473-a780bef7665c,4495bc5d-4d1e-4a26-ae92-152d18195648,42bb6b7f-6d54-4428-b707-666f669d94fb,90501b1b-cded-4cc1-9e8b-206b85cda317,3a1e94df-6847-4c0e-a3b6-6c6af4e128ef,c5b31ab9-0f26-4a49-b8aa-4cc064392f4d
    iac-misconfiguration-detection:
      jobs:
        iac-misconfig-detection-cloudformation:
          steps:
            - name: Run KICS (cloudformation)
              uses: registry.jit.io/control-kics-alpine:latest
              with:
                args: scan -t CloudFormation -p ${WORK_DIR:-.} -o $REPORT_FILE -f json --config /cloudformation-config.yaml --disable-secrets --exclude-queries c8dee387-a2e6-4a73-a942-183c975549ac
        iac-misconfig-detection-serverless:
          steps:
            - name: Run KICS (serverless)
              uses: registry.jit.io/control-kics-alpine:latest
              with:
                args: scan -t ServerlessFW -p ${WORK_DIR:-.} -o $REPORT_FILE -f json --config /serverless-config.yaml --disable-secrets --exclude-queries 165aae3b-a56a-48f3-b76d-d2b5083f5b8f

Replace the arguments shown in this example with the arguments that you intend to use. Arguments must be supported by the tool.

🚧

Important!

Include all the arguments that were in the original arguments line, as it will be completely overridden by this change.

Make sure you use the correct indentation!