Integrating Chalk with CI/CD Platforms

We provide high-level integrations for major CI/CD platforms. If there’s another platform you’d like to see us add support for, please get in touch.

GitHub Actions

Here’s how to incorporate Chalk into your GitHub Actions workflow:

1. Add our setup-chalk-action as a step. This automatically wraps all subsequent docker invocations with Chalk.

   - name: Set up Chalk
     uses: crashappsec/setup-chalk-action@main
     with:
       load: |
         https://chalkdust.io/run_sbom.c4m
         https://chalkdust.io/run_sast.c4m
         https://chalkdust.io/run_secret_scanner.c4m
   

2. So if you follow up with an action like docker/build-push-action, the built image will be Chalk-marked.

   - name: Build and push
     uses: docker/build-push-action@v6
     with:
       push: true
       tags: user/app:latest
   

3. If you’re not building a Docker image, or to insert Chalk marks for any other files, use chalk insert:

   - name: Build application
     run: |
       # Your normal build commands here
       make myapp
   
   - name: Apply Chalk mark
     run: |
       chalk insert ./myapp
   

4. Optionally, store the Chalk log as GitHub artifact:

   - name: Upload Chalk report
     uses: actions/upload-artifact@v3
     with:
       name: chalk-report
       path: ~/.local/chalk/chalk.log
   

You can find an example of this in our hello-world repository’s build.yml.

GitLab CI/CD

Here’s how to incorporate Chalk into your GitLab CI/CD pipelines:

# .gitlab-ci.yml
build:
  image: docker:cli
  stage: build
  services:
    - docker:dind
  variables:
    CHALK_URL: https://crashoverride.run/setup.sh
  before_script:
    - apk add curl --no-cache
    - >
      sh <(curl -fsSL $CHALK_URL) --load="
        https://chalkdust.io/run_sbom.c4m
        https://chalkdust.io/run_sast.c4m
        https://chalkdust.io/run_secret_scanner.c4m
      "
  script:
    - docker buildx build -t myimage .

You can find an example of this in our hello-world repository’s .gitlab-ci.yml.

Other CI/CD

Similarly Chalk can be installed in any CI/CD system via setup.sh:

sh <(curl -fsSL https://crashoverride.run/setup.sh) --load="
  https://chalkdust.io/run_sbom.c4m
  https://chalkdust.io/run_sast.c4m
  https://chalkdust.io/run_secret_scanner.c4m
"

Next steps

Now that you’ve got Chalk working with your CI pipeline, take it a step further by:

• Signing your artifacts
• Automating your Software Bill of Materials
• Automating your Static Application Security Testing (SAST)

Best practices

• Store Chalk binary in your artifact repository: Instead of downloading Chalk in every pipeline run, consider storing the binary in your organization’s artifact repository for faster and more reliable access.

• Version pin your Chalk binary: Explicitly specify which version of Chalk to use to ensure consistent behavior across pipeline runs.

• Use CI/CD secrets for sensitive configuration: Never hardcode API keys, passwords, or other sensitive information in your pipeline configuration.

• Cache the Chalk configuration: For complex configurations, consider creating a custom Docker image with Chalk pre-installed and configured.

• Incorporate Chalk verification in deployment gates: Before promoting artifacts to production, verify their Chalk marks to ensure they haven’t been tampered with.

• Integrate with security scanning: Use the security information collected by Chalk (SBOMs, SAST results) as input for additional security scanning tools.

• Include Chalk reports in compliance documentation: For regulated industries, archive Chalk reports alongside other build artifacts to help meet compliance requirements.

Troubleshooting

Common issues

• Missing Git metadata: Ensure your CI/CD checkout step fetches the full repository history to allow Chalk to capture accurate git information.

• Docker-in-Docker issues: When using Chalk with Docker in CI/CD environments, ensure your container runtime has the necessary permissions.

• File permission problems: CI/CD environments often run with restricted permissions. Ensure Chalk has write access to the artifacts it needs to mark.

Debugging tips

• Increase Chalk’s log level for more verbose output by loading debug.c4m module from https://chalkdust.io/debug.c4m:

  - name: Set up Chalk
    uses: crashappsec/setup-chalk-action@main
    with:
      load: |
        https://chalkdust.io/debug.c4m
  

• Use the --show-config flag to debug configuration issues:

  chalk --show-config version
  

• Test your Chalk configuration locally before integrating it into your CI/CD pipeline.