Meterian
  • Meterian
    • The Platform
    • SSO and MFA
    • Support
  • Codebase scanner
    • The Thin Client
      • How does the client work?
      • How does the client authenticate me?
      • How do I get the client?
      • What if I need a previous release?
      • Use the thin client on Windows
    • Using the client from your command line
      • Authorization in interactive mode
      • Interrupting the client
      • Example: running the client in interactive mode
    • Using the client in your CI/CD pipeline
      • Authorization in non-interactive mode
      • Providing the project branch
      • Concurrent mode
      • Two phases build
      • Controlling the exit code
      • Example: running the client in non-interactive mode
    • General operations
      • Running the analysis remotely
      • Interrupting the client
      • Generating a report
      • Forcing or avoiding specific scans
      • Excluding (and including) specific folders
      • Connecting through a proxy
    • System requirements
    • Command line parameters
      • General configuration
      • Overriding scores
      • Overriding scopes
      • Producing reports
      • Selecting scanners
      • Defining projects
      • Advanced options
        • Autofix
        • Pull Requests
      • System information
      • Specific controls
        • Maven specific controls
        • Dotnet specific controls
        • Npm/Yarn specific controls
        • Gradle specific controls
        • Ant/Ivy specific controls
    • The Dockerized Client
      • Basic usage
      • Advanced usage
        • Invoking via Docker
        • Platform-specific images
        • Usage on a CI/CD platform
        • Disable the client auto-update
      • Troubleshooting
        • Client auto update failure
        • Docker specifics
    • How scores work
    • Guide: your first scan!
      • Your first scan (java thin client)
      • Your first scan (dockerized client)
      • Your first scan (GitHub Action)
  • Scan behaviour matrix
  • THE METERIAN DASHBOARD
    • The Web Dashboard
      • Projects
      • Insights
      • Tokens
      • Badges
      • Policies
      • Tags
      • Teams
      • Configuration
        • Automatic Temporary Branches Clean-up
    • Advanced functionalities
      • Multi-factor Authentication
      • Safe versions
      • Software Bill Of Materials (SBOM)
      • Auto-grouping
        • Domain auto-grouping
        • Github auto-grouping
      • How to set a vulnerability exclusion
        • From the report page
        • From the dashboard
        • The .meterian file
        • Generate the .meterian file
    • Troubleshooting
      • Login with credentials
  • Notifications
    • Sentinel
      • Notifications for Slack
      • Notifications for Email
    • Allerta
  • Github Badges
    • Introduction
    • Public repository
    • Private repository
  • ONLINE INTEGRATIONS
    • Introduction
    • GitHub Action
      • Using the Thin Client
      • Code scanning
    • Bitbucket Pipe
    • Azure DevOps Pipelines
  • Languages support
    • Introduction
    • C/C++
    • Clojure
    • Dart / Flutter
    • Elixir (erlang)
    • Golang
    • Java/Kotlin/Scala
      • Scanning EAR or WAR files
    • Javascript
    • .NET
      • Scanning DLLs
    • NodeJS
    • Perl
    • PHP
    • Python
    • R
    • Ruby
    • Rust
    • Swift / Objective-C
    • Generic (third party)
  • Special platfoms
  • Unity Packages
  • Jupyter Notebooks
    • License detection
  • Yocto license manifests
  • Container scanner
    • Container Scanner
      • Introduction
      • General usage
      • Command line parameters
        • General configuration
        • Overriding scores
        • Producing reports
        • Defining projects
        • Advanced Options
        • System information
      • How to set a vulnerability exclusion
  • IaC SCANNER
    • Introduction
    • General usage
    • Command line parameters
      • Producing reports
      • Defining projects
    • Policy management page
    • How to set a vulnerability exclusion
  • CI INTEGRATIONS
    • Introduction
    • AWS CodeBuild
    • Azure DevOps
      • Using the Docker image
      • Using the Java Thin client
    • Bamboo
    • Bitrise
    • CircleCI
    • CodeShip
    • Concourse CI
    • Generic CI
    • GitLab CI/CD
      • Docker-in-Docker configuration
      • Meterian Docker image configuration
      • Non-Meterian Docker image configuration
    • Jenkins
      • Pipeline
    • TeamCity
    • TravisCI
  • DevOps Integrations
    • GitLab Ultimate
    • SonarQube
      • Compatibility
      • Download and installation
      • Plugin properties
      • Usage
      • Report page
  • Management Platforms
    • Threadfix
    • DefectDojo
      • Uploading from a CI
    • Armorcode
    • Jira
  • Dedicated Instance
    • Introduction
    • On Cloud (MC/CC)
    • On Premises (OP)
      • Requirements and install
      • Managing the system
        • Admin dashboard
        • Managing your license
        • Managing accounts
    • Using the scanners
      • Thin client
      • Dockerized client
      • Container Scanner
      • IaC Scanner
  • Meterian API
  • API basics
  • Authorizing the APIs
  • Account APIs
    • Knowing your account
    • Listing your projects
  • Samples
  • Guides
    • Managing teams and members
    • Generating reports via APIs
Powered by GitBook
On this page

Was this helpful?

  1. CI INTEGRATIONS

Concourse CI

PreviousCodeShipNextGeneric CI

Last updated 1 year ago

Was this helpful?

Integrate Meterian with Concourse CI pipeline

Assuming you have a working instance of Concourse CI, integrating Meterian only involves a few simple steps. These consist of a secrets pre-configuration to ensure the scan is authenticated and the addition of a task to a pipeline to execute said scan.

Secrets pre-configuration

In a .yml file set the key METERIAN_API_TOKEN as it follows

# secrets.yml
METERIAN_API_TOKEN: your API token

To retrieve a Meterian API Token visit the ; in your account select the tab "Tokens" and create a new one, or use an existing one.

API tokens are available only on paid account. To upgrade your subscription, please .

Meterian scan pipeline task

Now prepare a pipeline where the codebase you intend to scan is firstly pulled as a resource and then scanned by the Meterian client (to learn more about the pipeline syntax please refer to the )

# pipeline.yml
resources:
- name: source-code
  type: git
  source:
    uri: your repository uri
    branch: the target branch

jobs:
- name: you-job-name
  plan:
  - get: source-code
    trigger: true
  - task: meterian-scan
    config:
      platform: linux
      image_resource:
        type: registry-image
        source: 
          repository: meterian/cli
      inputs:
        - name: source-code
          path: .
      run: 
        path: /root/concourse.sh
        args: [ comma-separated arguments for the client ]
      params:
        METERIAN_API_TOKEN: ((METERIAN_API_TOKEN))

In case of an on-premise instance of Meterian you also will need to specify the following params

CLIENT_ENV: your site environment (e.g. www.meterian.io -> www )
CLIENT_PROTO: your site protocol 
CLIENT_DOMAIN: your site domain (e.g. www.meterian.io -> meterian.io )

$ fly -t <Concourse target name> \
  set-pipeline -p <pipeline name> \
  -c pipeline.yml \
  -l secrets.yml

Adjustments for private repositories

The above example works great with public repositories but in order to use private repositories the pipeline requires some minor tweaks.

Refer to the resource object and update your repository uri to a git ssh clone uri and add your deploy private key through the private_key attribute as it follows

resources:
- name: source-code
  type: git
  source:
    uri: git@github.com:...
    branch: main
    private_key: ((private-key))

Now apply the changes through the fly client binding your private key to the variable private-key

$ fly -t <Concourse target name> \
  set-pipeline -p <pipeline name> \
  -c pipeline.yml \
  -l secrets.yml \
  -v private-key="$(cat /path/to/your/private/key)"

Caveats

  - task: meterian-scan
    config:
      platform: linux
      image_resource:
        type: registry-image
        source: 
          repository: meterian/cli
      inputs:
        - name: source-code
          path: .
      run: 
        path: /root/entrypoint.sh
        args:  [ --project-branch=correct-branch-name ]
      params:
        METERIAN_API_TOKEN: ((METERIAN_API_TOKEN))

Once done run the following command to apply this pipeline to your Concourse CI instance

This example triggers a build whenever your repository is updated on GitHub. The repository is treated as a resource arbitrary named "source-code". Note there are countless resources developed by the Concourse CI community so consider consulting their for other alternatives.

If you haven't already, create and set up deploy keys for your private repository following .

As of now the git-resource causing the scan to report a misleading branch name unless the appropriate override is provided. To fix this issue provide the --project-branch arguments with the right branch name to the Meterian scan task

A full list of available client arguments can be found here

Meterian Dashboard
contact us
official documentation
fly client
git-resource
catalog
this guide
always pulls the specified branch in detached mode
https://docs.meterian.io/the-client/command-line-parameters