# Automation examples

Here, we show a bunch of examples of how to use the automation engine for different tasks.

# Create your first rule

You now find yourself inside the automations system where you will be creating the rules.

New rule

To get started, add an if-statement. Here, you get multiple options to chose from, based on what you want to be a trigger. In this case, we want to create a rule that triggers if the CVSS score of a vulnerability is ranked as high:

Add if statement Add equality Add comparison

You can modify the condition by using and/or operators like this.

Add and operator

If this example, we have created a rule that triggers if dependency is new AND CVSS is high. Next, we want to add the action to execute when the condition is true. There are multiple options including

  • Failing pipeline -- Fails your pipeline if the rule conditions are met.
  • Pipeline warning
    • GitHub -- Pipeline check is set to neutral if the rule conditions are met and a warning is printed. The pipeline passes.
    • GitLab, Bitbucket and Azure Devops -- Pipeline passes but a warning is printed.
  • Notification by email
  • Mark as unaffected -- Vulnerabilities that meet the conditions are marked as unaffected in the Debricked tool.
  • Flag as vulnerable -- Vulnerabilities that meet the conditions are flagged as vulnerable in the Debricked tool.

In this example, we want to fail the pipeline if the condition is true.

Add trigger

If you don’t want the rule to apply for vulnerabilities that have been marked as unaffected by you or someone on your team, leave the checkbox in the bottom right checked:

Ignore unaffected vulnerabilities

Once you have configured your rule it’s time to generate it. Clicking the button (see above) will create a written statement below the rule maker:

Generated rule

Make sure that the statement corresponds to what you were looking to achieve with your rule. There might be changes that need to be made to fulfill the purpose. For example, when creating a rule such as above, where any vulnerabilities with CVSS high will fail your pipeline, but vulnerabilities that lack a cvss score. Once you are happy with the statement it’s time to hit the save button. Please note that saving your rule will make it apply immediately. Once you have saved your rule, it will appear in the "Data Management" view for the selected repository.

Congratulations, you have created your first rule 😃

# Create a global automation rule

To create a rule that affects multiple repos, click on Automations (opens new window) in the left menu.

Automations view

In this case, we are going to create a rule that affects 3 repositories. We start by adding the repositories in the list at the top. If you do not select repositories before clicking the add button, all repositories will be selected.

Then, we add a new rule for those repos by clicking the plus sign. After the rule is added, we can see the newly created rule in the list, along with the repos connected to the rule.

Automation add global rule

# Add a repo to existing global rule

Assume that we forgot one repository to the rule we created above. To add yet another repository to an already created rule, click on the rule to open the "Edit" view. Then, just add the missing repo in the drop-down list, hit "Generate rule" and save.

Automation edit global rule

Of course, the same method applies if you want to remove a specific repository from a rule.

Another approach is to go into the specific repository that you want to add to an existing rule, and add a rule with the same "signature" (the rule in plain text) as the existing rule. The rules will then be merged into a single rule, covering all added repositories.

Automation merge global rules

# View affected repos for a global rule

You can use the drop-down list as a filter to see which rules apply to one or more repositories by selecting repositories in the list. The filtered rules show all repos affected by the rules.

Automation filter rules

# Prevent new dependencies with vulnerabilities

Imagine you have a developer branch called dev where you add new exciting features. Being security-aware, you want to fail the pipeline if a new commit introduces a new vulnerability with a severity of high or more. You also want to be notified of this incident.

This is how you would go about setting up that rule in our automation engine.

Automation use case 1

# CVSS score is missing

The rule we just created will not trigger for vulnerabilities that lack a CVSS score. This does not mean that the vulnerability is not severe, but that the data source lacked the CVSS score information. To account for this, you can add the statement:

OR CVSS is missing.

Keep in mind that adding the OR statement does not take previous if or AND statements into consideration. In this example we therefore also want to add the statement:

AND dependency is new

to keep the rule from applying to existing dependencies when CVSS is missing. See condition precedents for more on this.

# Prevent unknown license families and GPL

In this scenario, we want to fail the pipelines if we include dependencies with either an unknown license family, or if the dependencies has any of the GPL-2.0 and AGPL-3.0 licenses. We also wish to notify all the administrators for the company account.

Prevent unknown license family or GPL

# Set up a webhook with Slack

You can use the automation engine to send notifications in Slack. However, you may need to use a middleware. For this example, we are going to use Zapier to create a webhook URL. See our webhooks integration for more information. Note that you'll need the paid version of zapier.

Below we are showing you the steps to set up Zapier, and Slack to send notifications when your automation conditions are true.

To set this up:

  • Go to the Zapier application, and click on the button “Create a Zap”
  • Click on the Trigger action
  • Search for and select “Webhooks by Zapier”
  • Click the Event dropdown and select “Catch Hook”
  • Copy the Webhook URL
  • Click “Continue” and “Test trigger”

Zapier Webhook URL

Once you have the URL, go back to the Automations page, on the left side menu at Debricked. You can either create a new rule or edit an existing one. In the then statement, add a "trigger webhook" action to the rule. Paste into the field, the webhook URL you copied from Zapier.

Don't forget to click "send sample request" to test it. A request will be sent, and you will be able to see the information in Zapier. If everything went okay, you will get the response shown below. Click on “Generate rule” and “Save”.

Rule trigger a webhook

Now that you set up your webhook in Zapier, you can use it to send messages between apps, in our case, we are going to use Slack. Now it’s time to configure the notification and decide what information the message will include.

To set up the notification:

  • Go to Zapier
  • Click on the Action step, and select “Slack”
  • Click on the Event dropdown menu and select the action to perform, for example, “Send Channel Message”
  • Click on "Choose account" and follow the instructions on the page to connect your Slack account to Zapier
  • Click on "Set up action" and select the data that you want to send using the dropdown menus and/or the form fields. By clicking the "message text" field, it is possible to select what information you want included from us in the message.
  • Click on “Test & Continue”
  • Click on “Publish Zap”

Now you are ready to receive Slack notifications from Debricked!

Zapier webhook with Slack

# Edit a rule

If you wish to edit a rule, click the three dots on the right-hand side of the rule and select "edit rule".

Edit rule

You’ll now be able to add or remove one or multiple conditions and actions. To enable the changes, press "Generate rule" and "Save".

# Disable a rule

To disable a rule, simply drag the button to the left.

Disabling rule

# Delete a rule

To permanently delete a rule, click the three dots on the right hand side of the rule and select "delete rule".

Delete rule

Tip

If you want to deactivate or disable the rule for only a few affected repositories:

  1. Click Edit rule Delete rule
  2. Remove repo from the top dropdown Disabling rule