Adding Synopsys credentials to Google Cloud Key Management Service (KMS)

Owned by Jonathan Beakley (Unlicensed)
Last updated: Dec 06, 2023 by Chris Potts
2 min read

Introduction

To communicate with either Coverity on Polaris or Black Duck, Synopsys Detect must first authenticate its connection. To ensure that Synopsys Detect can authenticate, you must provide the appropriate URLs and access tokens. While you can pass these values to Synopsys Detect at invocation, this is not recommended because the values are not encrypted. A more secure approach is to leverage the Google's Key Management Service to protect sensitive values and make them available to Cloud Build. 

Depending on the tools you're scanning with, different access secrets might be required.

Here's a list of requirements:

  • Scanning with Black Duck on Cloud Build using Synopsys Detect.
    • The Black Duck token is required.
  • Scanning with Polaris by using a custom builder with the SWIP CLI.
    • The Polaris token is required.
  • Scanning with Black Duck in Cloud Build and performing an attestation for Binary Authorization.
    • The Black Duck token is required.
    • The passphrase for your signing private key is required.

The following steps describe adding the parameters and making them available to Cloud Build:

Encrypting credentials by using KMS

The following procedure shows how to use KMS to encrypt a secret:

  1. Create a KeyRing and a CryptoKey in the Encryption keys section of IAM. 
  2. Ensure that Google users have access to the KeyRing and CryptoKey just created by adding the allAuthenticatedUsers members, assigned with the owner role, to the CryptoKey permissions. For additional information about KMS permissions and roles, refer to the KMS Permissions and Roles page.
  3. Generate an Access Token for the Application you're scanning with.
    • In Black Duck, generate it by navigating to the Profile section for your user in the top right of the screen.
    • In Polaris, generate it by navigating to your user Profile in the top left of the screen.

  4. Encrypt the token by using gcloud's KMS encrypt with the KeyRing and CryptoKey names that were created in the previous steps as shown in the following command: 


    KMS commands
    # - Optional, save the Token to an Environment Variable
export TOKEN=<<Token from Black Duck or Polaris>>

# - Echo the Token Value, Piped to KMS Encrypt, then Piped to base64
echo -n $TOKEN | gcloud kms encrypt \
  --plaintext-file=- \  # - reads from stdin
  --ciphertext-file=- \  # - writes to stdout
  --location=global \
  --keyring=[KEYRING-NAME] \
  --key=[KEY-NAME] | base64
 
  5. The command in step four outputs a base64-encoded string when is runs sucessfully.
    Copy this string, and post it in the build configuration file under secrets > secretsEnv.

Sample build configuration file with Secrets decrypted with KMS

Sample build configuration YAML with KMS decrypted secrets
steps:
- name: 'gcr.io/cloud-marketplace/blackduck-public/synopsys-cloudbuild-scanner'
  secretEnv: [ 'BD_TOKEN' ]
  args:
  - '--blackduck.url'
  - '<<Black Duck URL>>' # The URL of your Black Duck Instance
  - '--blackduck.api.token'
  - '$$BD_TOKEN' # Black Duck API Token decrypted by KMS
  - '--detect.project.name'
  - '<<Project_Name>>' # Project Name to map scan to in Black Duck UI
  - '--detect.project.version.name'
  - '<<Project Version>>' # Project Version to map scan to in Black Duck UI
  - '--detect.tools' 
  - 'SIGNATURE_SCAN' # List of Scanners to Run
  - '--detect.source.path' 
  - '/workspace' # Target for Signature Scan
secrets:
- kmsKeyName: projects/[PROJECT_ID]/locations/global/keyRings/[KEY_RING_NAME]/cryptoKeys/[KEY_NAME]
  secretEnv:
    BD_TOKEN: <<base64 encoded encrypted Black Duck API Token>>


©2020 Synopsys, Inc. All Rights Reserved