Gradle

You can find out more about our Gradle plugin in our blog post.

Gradle is a build automation system used primarily for Java projects. It builds upon the concepts of Apache Maven and Ant but works with a Groovy or Kotlin DSL instead of XML files for configuration. 

You can easily add RIPS security analysis as a task to run on each build to automatically detect new security issues.

Requirements

RIPS PluginRIPS APIGradleJAR
1.03.x≥ 4.6*Download

* for Kotlin DSL Gradle ≥ 5.0 required

Setup

Add the following snippet to your build file to apply to the plugin.

build.gradle
plugins {
  id "com.ripstech.gradle.rips-plugin" version "1.0.0"
}

If dynamic configuration is required, you can use the following build script snippet:

build.gradle
buildscript {
  repositories {
    // ...
  }
  dependencies {
    classpath "com.ripstech.gradle:rips-plugin:1.0.0"
  }
}

apply plugin: "com.ripstech.gradle.rips-plugin"

This will add the task ripsScan to the verification task set.

Local Installation

The plugin is not yet published to the official plugin repository and has be published to the local one manually:

mvn install:install-file -Dfile=<path-to-jar> -DgroupId=com.ripstech \
    -DartifactId=rips-gradle-plugin -Dversion=1.0.0 -Dpackaging=jar

Now you have to add the local maven repository to your build file:

buildscript {
    repositories {
        mavenLocal()
    }
    dependencies {
        classpath 'com.ripstech.gradle:rips-plugin:1.0.0'
    }
}


Configuration

To configure the plugin you can set the following properties.

build.gradle
ripstech {
    apiUrl = "https://api-3.ripstech.com"
    uiUrl = "https://saas-3.ripstech.com"
    email = "test@company"
    password = "SuperSecret"
    applicationId = 1
    profileId = 1
    scanVersion = "{buildSystem}-WebApp"
    thresholdCritical = 0
    thresholdHigh = 1
    thresholdMedium = 3
    thresholdLow = 5
	printIssues = true
 }
PropertyDefault Value Or RequiredDescription
apiUrl
https://api-3.ripstech.com
The URL of the RIPS API that should be used for scanning.
Our SaaS API is available at https://api-3.ripstech.com. This API also works for trial accounts.
For On-premises, make sure to also add the port of your API, for example: http://192.168.201.1:8080
uiUrlNoThe URL of your RIPS UI
emailYesThe e-mail address of the user running the scan.
passwordYesThe password of the user running the scan.
applicationIdYes

The numerical ID of the application in RIPS to be scanned.

(note: the application must exist and is not automatically created)

profileIdNoThe profile ID of a scan profile to use for the scan.
scanVersion

{isoDateTime}

The name of your scan. Predefined placeholders are available.
thresholdCriticalNULL

Threshold for issues with critical severity.

Build will fail if the sum of issues with critical severity is higher than the threshold.

Leave empty to ignore threshold.
thresholdHighNULL

Threshold for issues with high severity.

Build will fail if the sum of issues with high severity is higher than the threshold.

Leave empty to ignore threshold.
thresholdMediumNULL

Threshold for issues with medium severity.

Build will fail if the sum of issues with medium severity is higher than the threshold.

Leave empty to ignore threshold.
thresholdLowNULL

Threshold for issues with low severity.

Build will fail if the sum of issues with low severity is higher than the threshold.

Leave empty to ignore threshold.
printIssuestruePrint detailed output of issues.

Note: Please do not store your credentials in the build.gradle file else they will be checked into source control. You can use environment variables or the gradle.properties file instead.

New Scan

After properly configuring the plugin you can simply start a scan by running the task ripsScan. It will zip your project files, upload them to the RIPS instance and starts a scan. Once the scan is done it will check if any thresholds were exceed, failing the build if that is the case.

To configure that the task is added to a specific life cycle, please refer the Gradle documention for further information.