This repository is an example of how to install the Contrast Security Agent in a Ruby on Rails application.
It also demonstrates a simple CICD pipeline that builds the docker container when a PR is raised and deploys the container into an Amazon ECS service once merged.
Since I detailed the instrumentation steps in the Python project, I'll start here by explaining the GitHub actions. Please scroll down for the ruby instrumentation steps.
The Contrast Security agent is installed as a Gem and runs alongside your application code and serves as an all-encompassing static code scanner, SCA tool, IAST agent and runtime self-protection tool. For more information, check out their website and Community Edition.
- Original vulnerable application source code taken from: OWASP/railsgoat
- Only changes made are to instrument the application with Contrast Security
This repo features some GitHub actions for building the Docker image with the Contrast agent installed, and running tests against this image in GitHub actions before pushing the built images to an ECR and orchestrating an ECS service to run the container in.
GitHub Actions provide a powerful way to automate CICD tasks like building and deploying new versions of your application.
In this repository, I configured two main actions as follows:
github/workflows/build-railsgoat-image.yml: build and test a Rails application with GitHub actions (using free action minutes allowance).- Runs when a PR is raised or via a manual action
- Builds an Ubuntu image, installs rails and Gem dependencies including the Contrast Security Gem
- Runs a set of rspec tests included as part of the application and only succeeds if all tests pass
github/workflows/deploy_to_aws_ecs.yml: build and deploy the rails application as a container to Amazon ECS:- Builds the application image specified in the Dockerfile which includes the Contrast agent
- Pushes the built image to an Amazon ECR repository
- Uses an ECS task definition to deploy the new image into an ECS service in place of the previous version of the application
- Waits for service stability and fails if this is not achieved.
For more information on using GitHub actions like this, checkout their extensive [documentation here][Github Actions].
This setup requires a significant amount of configuration in the AWS console which is not intended to be part of this document. I may write a future blog post detailing this process. To get started on your own check out the GitHub Actions documentaiton and the AWS ECS getting started guide..
A step-by-step guide for implementing the Agent in this specific application, instrumentation requirements vary per technology stack. Please refer to the official Contrast Security Documentation for more information.
The agent is installed as a Ruby Gem and can be found here. Install it simply by adding the required Gem to your Gemfile and rebuilding the container.
# Adding the contrast Agent
gem 'contrast-agent'If you are installing the agent in a running application or outside of a
container, you will need to run bundle install and may need to restart the
rails server.
Unlike with the Python project, we don't require any additional configuration to enable middleware in Rails. Other Ruby frameworks may require middleware configuration, however, so you should refer to the documentation
Using the YAML template provided, or by downloading a YAML template from the Contrast web portal, we can configure the agent:
config/contrast_security.yml:
api:
url: https://eval.contrastsecurity.com/Contrast
api_key: XXX
service_key: XXX
user_name: XXX@XXX
application:
name: VulnerableApp-Rails-Demo
code: demo-2
⚠️ Do not commit API credentials to your GitHub repo!: A templatecontrast_security.yml.distfile has been provided for your convenience. Copy this file tocontrast_security.ymland add your API details. This file is already added to.gitignore- ensure you don't accidentally remove this or add it anyway.
The Ruby Agent looks for configuration in some default places. This can be
either /opt/contrast/contrast_security.yaml, or along with other configuration
files in config/contrast_security.yaml, which is were I have placed it.
Now run your application and browse around the pages as you normally would. If everything worked, then when you next go to your Contrast Security dashboard you'll see details for the new application and any security issues that have been detected.
A list of resources that I found particularly useful when attempting this:
- Contrast Security Docuemntation
- [Agents -> Python agent][Python agent]
- GitHub: Deploying to Amazon Elastic Container Service
- Getting started with the classic console using Linux containers on AWS Fargate
- Contrast Blog on GitHub Actions Blog Series, Part 1: Pipeline Native Code Analysis
- RailsGoat Vulnerable Application
- Take a look at my python project which does the same as this mowsec/vulnerable-python-contrast