Integrations
Integrate RaSEC into your development workflow with CI/CD pipelines, CLI tools, and webhooks.
Estimated reading time: 12 minutes
Table of Contents
Overview
RaSEC provides multiple integration options to fit into your existing security testing workflow. Whether you're using CI/CD pipelines, command-line tools, or need real-time notifications, RaSEC has you covered.
CI/CD Integration
Automate security testing in your pipelines
CLI Tool
Command-line interface for automation
Webhooks
Real-time event notifications
CI/CD Integration
Integrate RaSEC into your continuous integration and deployment pipelines to automatically upload security scan results and receive notifications about vulnerabilities.
Supported Platforms: GitHub Actions, GitLab CI/CD, Jenkins, Azure DevOps, and any CI/CD system that supports HTTP requests.
GitHub Actions
RaSEC provides a GitHub Actions workflow template for automatically uploading security scan results.
Setup
1. Create API Token
Create an API token from Settings → API Tokens in the RaSEC dashboard.
2. Add GitHub Secrets
Add your API token as a GitHub secret:
RASEC_API_TOKEN- Your RaSEC API tokenRASEC_API_URL- (Optional) API base URL, defaults to https://rasec.app
3. Create Workflow File
Create .github/workflows/rasec-ingestion.yml:
name: RaSEC Ingestion
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
upload-sarif:
name: Upload SARIF Reports
runs-on: ubuntu-latest
if: github.event_name == 'pull_request' || github.ref == 'refs/heads/main'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Upload SARIF files
run: |
for file in $(find . -name '*.sarif' -type f); do
echo "Uploading $file..."
curl -X POST \
-H "<AUTH_HEADER>" \
-F "file=@$file" \
"${{ secrets.RASEC_API_URL || 'https://rasec.app' }}/api/ingestion/upload"
done
upload-nuclei:
name: Upload Nuclei Reports
runs-on: ubuntu-latest
if: github.event_name == 'pull_request' || github.ref == 'refs/heads/main'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Upload Nuclei files
run: |
for file in $(find . -name '*-nuclei.json' -o -name 'nuclei*.json' -type f); do
echo "Uploading $file..."
curl -X POST \
-H "<AUTH_HEADER>" \
-F "file=@$file" \
"${{ secrets.RASEC_API_URL || 'https://rasec.app' }}/api/ingestion/upload"
doneSupported Formats
SARIF
CodeQL, Semgrep, and other SARIF-compatible tools
Nuclei
Nuclei JSON output format
OWASP ZAP
ZAP JSON and XML reports
Burp Suite
Burp JSON export format
CLI Tool
The RaSEC CLI tool provides a command-line interface for uploading security artifacts and managing ingestion jobs.
Installation
npm install -g @rasec/cliOr use npx to run without installation:
npx @rasec/cli upload report.sarif --token YOUR_API_TOKENCommands
Upload Artifact
rasec upload <file> [options]Upload a security artifact file for processing.
Options:
-t, --token <token>- API token (or set RASEC_API_TOKEN env var)-u, --url <url>- API base URL (default: https://rasec.app)
# Using token flag
rasec upload report.sarif --token YOUR_API_TOKEN
# Using environment variable
export RASEC_API_TOKEN=your_token_here
rasec upload report.sarifCheck Job Status
rasec status <jobId> [options]Check the status of an ingestion job. Note: Currently requires web UI authentication.
Environment Variables
RASEC_API_TOKEN- Your API token (alternative to --token flag)RASEC_API_URL- API base URL (alternative to --url flag)
Webhooks
Webhooks allow you to receive real-time notifications when events occur in RaSEC. Configure webhooks from Settings → Webhooks in the dashboard.
Setting Up Webhooks
1. Create Webhook
Navigate to Settings → Webhooks and click "Create Webhook". Provide your webhook URL and select events to subscribe to.
2. Configure Secret
Set a webhook secret for HMAC signature verification. This ensures requests are from RaSEC.
3. Test Webhook
Use the "Test Webhook" button to send a test event and verify your endpoint receives it.
Supported Events
finding.created
Triggered when a new vulnerability is found
ingestion.completed
Triggered when an ingestion job completes successfully
ingestion.failed
Triggered when an ingestion job fails
tool.run.completed
Triggered when a tool execution completes
Webhook Payload
{
"event": "finding.created",
"timestamp": "2024-01-15T10:30:00Z",
"data": {
"findingId": "uuid",
"title": "SQL Injection",
"severity": "high",
"vulnerabilityType": "SQLi",
"affectedUrl": "https://example.com/api/users"
}
}Security: Signature Verification
All webhook requests include HMAC-SHA256 signatures in headers. Verify signatures to ensure requests are from RaSEC:
X-RaSEC-Signature: sha256=signature_here
X-RaSEC-Timestamp: 1234567890The signature is computed as: HMAC-SHA256(timestamp + payload, secret)
Retry Logic
Failed webhook deliveries are automatically retried with exponential backoff:
- Initial retry: 1 minute
- Second retry: 5 minutes
- Third retry: 15 minutes
- Maximum retries: 5 attempts
Delivery history is available in the webhook management interface.
Third-Party Tool Integration
RaSEC can ingest results from popular security testing tools. Supported formats are automatically detected and parsed.
SARIF
Supported tools:
- CodeQL
- Semgrep
- SonarQube
- Any SARIF-compatible tool
Nuclei
Nuclei JSON output format
Automatically detects and parses Nuclei scan results
OWASP ZAP
ZAP JSON and XML reports
Supports both JSON and XML export formats
Burp Suite
Burp JSON export format
Import Burp Suite Professional scan results
Deduplication: RaSEC automatically deduplicates findings from multiple tools and sources, preventing duplicate entries in your security findings.
Best Practices
Use Dedicated API Tokens for CI/CD
Create separate API tokens for each CI/CD pipeline. This allows you to revoke access individually if needed and track usage per pipeline.
Verify Webhook Signatures
Always verify HMAC signatures in webhook handlers to ensure requests are from RaSEC and haven't been tampered with.
Handle Webhook Failures Gracefully
Implement idempotent webhook handlers and return 2xx status codes quickly. RaSEC will retry failed deliveries automatically.
Monitor Ingestion Jobs
Check ingestion job status after upload to ensure successful processing. Use webhooks to receive notifications automatically.
Next Steps
Learn more about RaSEC's capabilities: