Digitsec is a robust Salesforce application for DevOps practice. Utilizing with Gearset will link Sandbox, Test, and Production environments across a development pipeline without the worry of various deployment quirks.
Adding security testing throughout this practice is what makes it DevSecOps. Security testing is imperative when developing applications in Salesforce because vulnerabilities introduced by custom code, configuration changes, or third-party integrations are the Salesforce customer’s responsibility. Any subsequent data leakage from a malicious attack that happens because of insecure custom code rests on the company’s shoulders.
DigitSec Highlights
Comprehensive (4-scans-in-1) security testing built specifically for Salesforce that includes:
Static Application Security Testing (SAST)
Software Composition Analysis (SCA)
Custom runtime testing (IAST)
Cloud security configuration review
Each vulnerability found includes:
Security implications
Remediation steps
Vulnerability tracing, reducing false-positives
Historical remediation tracking
Compliance implications for GDPR, HIPAA, PCI-DSS, ISO 27001, APPI, NIST.
It's possible for Gearset to integrate with Digitsec to run Security Tests within a pipeline. This article is to describe how to configure that.
How does it work?
Each Pull Request in a pipeline will display the status of a DigitSec scan.
How to configure it?
All configuration will be done in DigitSec and Git. This document outlines how to connect to GitHub by updating the Personal Access Token & Webhook. Digitsec can integrate with Gitlab, Bitbucket and Azure.
Once this is completed, Gearset will automatically pull these statuses into the pipeline.
The result?
Each pull request will display the scan from DigitSec. Within git, the status shows in the pull request:
Gearset will pull this into pipelines displaying the following for Failures:
Passing:
