GuardRails Enterprise Testing Guide
🚀GuardRails On-Premise Testing Guide
Table of Contents​
Overview​
This guide provides all the test-cases for common use cases of GuardRails. Before you start, make sure that GuardRails is installed correctly by following the specific setup guides. That includes enabling GuardRails for the repositories that you want to monitor, we recommend enabling GuardRails for all.
Once the setup is complete, continue with the guides for for your versioning control system, or go straight to the dashboard section.
GitHub​
Testing GuardRails on GitHub is a very simple undertaking. Once confirmed that GuardRails is enabled for a given repository, you can create a new pull request and the GuardRails bot will show up in the checks area and inform about the scan duration and whether any vulnerabilities have been identified. In order to verify that GuardRails identifies newly introduced issues, you can create a PR with a file named gr-poc.sh that has the following content.
-----BEGIN RSA PRIVATE KEY-----
Then the GuardRails bot will identify a new vulnerability and create the PR comment with the details.
GitLab​
Testing GuardRails on GitLab is also easy. Once confirmed that GuardRails is enabled for a given repository, you can create a new merge request and the GuardRails bot will show up as a running pipeline. In order to verify that GuardRails identifies newly introduced issues, you can create a MR with a file named gr-poc.sh that has the following content.
-----BEGIN RSA PRIVATE KEY-----
Then the GuardRails bot will identify a new vulnerability and create the PR comment with the details.
Bitbucket​
Testing GuardRails on Bitbucket is straightforward. Once confirmed that GuardRails is enabled for a given repository, you can create a new pull request and the GuardRails bot will show up in the builds section. In order to verify that GuardRails identifies newly introduced issues, you can create a PR with a file named gr-poc.sh that has the following content.
-----BEGIN RSA PRIVATE KEY-----
Then the GuardRails bot will identify a new vulnerability and create a comment in the PR with the details.
Dashboard​
The dashboard can be used to get an overview of all organizations and repositories that are protected by GuardRails, view all the scan reports and vulnerabilities that have been identified, as well as modify the global GuardRails configuration.
Login​
The first step is testing that the login works. GuardRails leverages the same login functionality that your version control system uses, that means you don't have to manage accounts for GuardRails separately. Go to the cloud dashboard, or your on-premise enterprise GuardRails instance and login with the version control system of your choice. After a success authentication you will be forwarded to the main page of the dashboard.
Organizations and Repositories​
After the login you will be able to see all organizations/teams that GuardRails has permissions to access. Inside the organizations/teams a list of all repositories is shown. The repositories have a toggle button to enable/disable GuardRails for them. In addition you have "Scan trigger button" next to the toggle. Press this button to start a scan of the default branch of a given repository, this is typically the master branch. The scan wil show all vulnerabilities of that repository.
Reports​
After selecting a repository you can look at the scan reports on a branch and pull/merge-request level. Note that the scan reports on the branch level contain all findings that were identified on that branch. On the pull/merge-request level only vulnerabilities that were identified in the new code changes are shown.
Settings​
GuardRails has been optimized for developer experience from day one. As such the platform aims to provide a DevSecOps pipeline in a box, no assembly required and batteries included. However, we realize that one size doesn't fit all and for that reason provide configuration options to customize the experience. More details on configuration options can be found here.
Common configuration options include:
- Configuring Slack
- Configuring what details are shown in Pull Request comments.
- Excluding files or lines from GuardRails scans