DigitSec Integration

Updated 1 week ago by Copado Solutions

Introduction

Copado's DigitSec integration will help the security teams to secure the Salesforce SDLC with features designed to accelerate the adoption of DevSecOps in the CI/CD pipeline, accelerate the deployments by reducing false positives, and secure your code, libraries, apps, and org with one solution. The integration is available as an unmanaged package that you can install in the same Salesforce org in which Copado is installed. The integration offers the following main benefit:

  • Perform four targeted and integrated scans designed to work together: Static Source Code Analysis, Interactive Runtime Testing, Software Composition Analysis, Cloud Security Configuration Review.

Considerations

Make sure that Copado is completely set up and working according to our best practices. For more information about this, review the Copado Base Setup and Implementation article

Setup

The first thing you need to do is log in to our Success community and install the package found under the DevOps Exchange tab. You can install it in a sandbox or a production/developer org and install it for admins only, which is the recommended option for all users or specific profiles.

Configure the parameters

Once the package is successfully installed, you need to:

  1. Identify the following DitSec parameter: 
    1. Org Id: Unique ID identifying an org in DigitSec. This ID is found in the DigitSec Salesforce Orgs URL:
Unique ID DigitSec

  1. Configure this parameter in Salesforce:
    1. Go to Setup > Custom Settings and click on Manage next to DigitSec.
      DigitSec Custom Settings
    2. Click on New.
    3. Enter the Digitisec orgId.
    4. Click on Save.

Configure the Named Credential Settings

Now, you need to configure a named credential. According to Salesforce, a named credential specifies the URL of a callout endpoint and its required authentication parameters. To configure a named credential, follow the steps below:

  1. Go to Setup > Named Credentials and click on New Named Credential:
    Named Credentials
  2. Fill out all the relevant fields:
    1. For Label and Name: Enter Digitsec 
    2. URL: Enter https://s4.digitsec.com/
    3. Identity Type: Select Named Principal. This means that one user will provide the authentication for all callouts from Salesforce to the external application.
    4. Authentication Protocol: Select Password Authentication. 
    5. Username: Fill it out with your DigitSec username.
    6. Password: Fill it out with your DigitSec password.
    7. Set the Generate Authentication Header checkbox to True.
    8. Click on Save. Your named credential should look like this:
    DigitSec Named Credential
Configure the DigitSec Security Scan Button

The integration package provides a DigitSec Security Scan button that triggers a scan on DigitSec against a user story branch.

You need to add this button to the User Story custom object. To do so, follow the steps below:

  1. Go to Setup > Object Manager and select the User Story custom object.
  2. Navigate to Page Layouts and select User Story Layout V.17. 
  3. Inside the Page layout editor, drag and drop the DigitSec Security Scan button to the Salesforce Mobile and Lightning Experience Actions section.
  4. Click on Save
  5. Now, you can run DigitSec Security Scan from Copado user stories:

The scans will create a Copado result object with the link to view findings and the SARIF findings are attached to the result object.


How did we do?