Getting started with the Conviso AST
Introduction​
The AST is a tool that performs comprehensive security scans on your source code, covering SAST, SCA, IaC, and Container.
You can use the AST locally and also within your CI/CD to be able to use the following features:
- Run Conviso AST Add-on (SAST, SCA, IaC, Container);
- Set policies to block the pipeline depending on different criteria;
- It is capable of creating the asset, if it does not exist, and filling in the technologies found during execution.
- It can close open vulnerabilities on the platform that are no longer identified during its execution, and can reopen them if they were closed but identified later.
Install the Conviso AST​
To use the AST, install it and authenticate your machine.
For an effortless setup, use the Conviso Docker image available on DockerHub. This plug-and-play solution significantly reduces setup time and minimizes the risk of misconfiguration, allowing you to get started quickly and reliably.
Prerequisites​
To install the AST some dependencies are required:
- A Unix-like operating system.
- python >= 3.10. See python3 download.
- pip. See pip guide.
- git. See git download.
- Docker. See docker download.
Follow the download instructions for each dependency.
Installation​
Run the following installation command for the Conviso AST:
pip install conviso-ast
or
python3 -m pip install conviso-ast
Note: If it's not working, we recommend visiting the other installation commands section that shows other ways to install.
You can use the AST in your CI/CD environment. For details, please check the menu with all the different tools that we are integrated with. If your tool is not there, please contact us to assess it.
Test your installation​
After installation, test your installation. For a quick test, run:
conviso --help
The command will print AST commands and options summary. Now we are ready to proceed!
Note: Conviso recommends always keeping your AST installation updated to the latest version. You can check by running conviso --version.
Authentication​
In order to start using the AST you will need to provide your API Key for your Conviso Platform account. You can generate an API Key within Security Feed -> Quick Actions -> Generate API KEY.
Note: Every time you do this process, you will need to change the API Key from the AST settings.
When retrieving it, you can export the key as system environment variable:
export CONVISO_API_KEY='you-api-key'
Also, the API Key can be set as option argument:
conviso --api-key 'you-api-key' [SOME COMMAND]
Note: For security reasons, this is not recommended for production environments!
Next steps​
Once the AST is installed and your machine is authenticated, perform the following actions to run your AppSec Program with the Conviso Platform:
- Perform Application Security Testing (AST) type scans, following this tutorial.
- Validate your opened vulnerabilities for a specific project and block your CI/CD pipeline depending on pre-defined vulnerability policies, see more.
- Perform the Management of your Assets, see this guide.
- Import findings and vulnerabilities from other security tools that support .SARIF files to Conviso Platform, see more.
Other installation commands​
In case the main method didn't work, there are several other ways:
- If you haven't system admin privileges:
pip install --user conviso-ast
or
python3 -m pip install --user conviso-ast
- If you want to install a specific version. Versions can be found on PypI.
python3 -m pip install conviso-ast==3.0.1rc0
Note: If you are unsuccessful in running the command, check that the Python path is validated by following this guide.
- If you want to use Container Image with a specific version. Versions can be found in Dockerhub.
docker run convisoappsec/convisoast conviso --help
Note: Observe that PyPI and Github versions have a slightly difference
Updating Conviso AST​
We release new Conviso AST versions often! See Releases Notes for more details.
If you need to update your Conviso AST, use the following command:
pip install conviso-ast --upgrade
Tips: Shell Completion​
Shell Completion is a feature that helps complete commands and command line arguments automatically in a terminal or shell. This is not required to use the tool, so you can skip it if you want.
Bash​
Open your .bashrc file at ~/.bashrc and place the following snippet in the end of file.
CONVISO_COMPLETER="$(which conviso_bash_completer.sh)"
[ -f "$CONVISO_COMPLETER" ] && {
source "$CONVISO_COMPLETER"
}
Start a new bash shell session and the shell completion will be available.
ZSH​
Open your .zshrc file at ~/.zshrc and place the following snippet in the end of file.
CONVISO_COMPLETER="$(which conviso_zsh_completer.sh)"
[ -f "$CONVISO_COMPLETER" ] && {
source "$CONVISO_COMPLETER"
}
Start a new ZSH shell session and the shell completion will be available.
Fish​
Start a fish shell session and execute the following command.
mkdir -p ~/.config/fish/completions
cp (which conviso_fish_completer.fish) ~/.config/fish/completions/conviso.fish
Start a new fish shell session and the shell completion will be available.
Getting support for the Conviso AST​
If you have any questions or need help using Conviso AST, please don't hesitate to contact our support team.
Contribute to the Docs
Found something outdated or missing? Help us improve the documentation with a quick suggestion or edit.
How to contributeResources
By exploring our content, you'll find resources that will enhance your understanding of the importance of a Security Application Program.
Conviso Blog: Explore our blog, which offers a collection of articles and posts covering a wide range of AppSec topics. The content on the blog is primarily in English.
Conviso's YouTube Channel: Access a wealth of informative videos covering various topics related to AppSec. Please note that the content is primarily in Portuguese.