With KDT, you can list projects and their scans in Kondukto, and restart a scan with a specific application security tool. KDT is also easy to use in CI/CD pipelines to trigger scans and break releases if a scan fails or scan results don't met specified release criteria.
What is Kondukto?
Kondukto is an Application Security Testing Orchestration platform that helps you centralize and automate your entire AppSec related vulnerability management process. Providing an interface where security health of applications can be continuously monitored, and a command line interface where your AppSec operations can be integrated into DevOps pipelines, Kondukto lets you manage your AppSec processes automatically with ease.
You can install the CLI with a
curl utility script or by downloading the pre-compiled binary from the Github release page.
Once installed youl'll get the
kdt-cli command and
Utility script with
$ curl -sSL https://cli.kondukto.io | sudo sh
Non-root with curl:
$ curl -sSL https://cli.kondukto.io | sh
To install the kdt-cli on Windows go to Releases and download the latest kdt-cli.exe.
Or you can also simply run the following if you have an existing Go environment:
go get github.com/kondukto-io/kdt
If you want to build it yourself, clone the source files using Github, change into the
kdt directory and run:
git clone https://github.com/kondukto-io/kdt.git cd kdt go install
KDT needs Kondukto host and an API token for authentication. API tokens can be created under Integrations/API Tokens menu.
You can provide configuration by:
1) Setting environment variables:
(example is for BASH shell)
$ export KONDUKTO_HOST=http://localhost:8080 $ export KONDUKTO_TOKEN=WmQ2eHFDRzE3elplN0ZRbUVsRDd3VnpUSHk0TmF6Uko5OGlyQ1JvR2JOOXhoWEFtY2ZrcDJZUGtrb2tV
It is always better to set environment variables in shell profile files(
2) Providing a configuration file.
Default path for config file is
$HOME/.kdt.yaml. Another file can be provided with
--config command line flag.
// $HOME/.kdt.yaml host: http://localhost:8088 token: WmQ2eHFDRzE3elplN0ZRbUVsRDd3VnpUSHk0TmF6Uko5OGlyQ1JvR2JOOXhoWEFtY2ZrcDJZUGtrb2tV
3) Using command line flags
kdt list projects --host http://localhost:8088 --token WmQ2eHFDRzE3elplN0ZRbUVsRDd3VnpUSHk0TmF6Uko5OGlyQ1JvR2JOOXhoWEFtY2ZrcDJZUGtrb2tV
Most KDT commands are straightforward.
To list projects:
kdt list projects
To list scans of a project:
kdt list scans -p ExampleProject
To restart a scan, you can use one of the following:
id of the scan:
kdt scan -s 5da6cafa5ab6e436faf643dc
project and tool names:
kdt scan -p ExampleProject -t ExampleTool
To import scan results as a file:
kdt scan -p ExampleProject -t ExampleTool -b master
Command Line Flags
KDT has several helpful flags to manage scans.
Following flags are valid for all commands of KDT.
--host: HTTP address of Kondukto server with port
--token: API token generated by Kondukto
--config: Configuration file to use instead of default one(
--async: Starts an asynchronous scan that won't block process to wait for scan to finish. KDT will exit gracefully when scan gets started successfully.
--insecure: If provided, client skips verification of server's certificates and host name. In this mode, TLS is susceptible to man-in-the-middle attacks. Not recommended unless you really know what you are doing!
--verbose: Prints more and detailed logs. Useful for debugging.
Scan Commands Flags
Following flags are only valid for scan commands.
--project for providing project name or id
--tool for providing tool name
--scan-id for providing scan id
--branch for providing branch to scan
These flags represent maximum number of vulnerabilities with specified severity to ignore. If these threshold are crossed, KDT will exit with non-zero status code.
--threshold-risk for failing tests if the scan causes a higher risk score than the last scan's risk score. Useful for keeping a project's security level under control. If used with every scan in DevOps pipelines, you will make sure that the project will never get more vulnerable.
Risk threshold considers only the last two scans with the same tool. If the project does not have a scan with the tool, KDT will fail since it will not be able to compare risk scores.
Threshold flags don't work with
--async flag since KDT will exit when scan gets started, and won't be able to check scan results
kdt scan -p SampleProject -t SampleTool --threshold-crit 3 --threshold-high 10 --threshold-risk
Contributing to KDT
If you wish to get involved in KDT development, create issues for problems and missing features or fork the repository and create pull requests to help the development directly.
Before sending your PRs:
Create and name your branches according to Git Flow methodology.
For new features:
For bug fixes:
Properly document your code following idiomatic Go practices. Exported functions should always be commented.
Write detailed PR descriptions and comments