Package "Copado Deployer", Version 18.0 or later must be installed first. (Copado Release Notes)
DigitSec's Salesforce Security Scanner can now be used from Copado with this Native integration. The security analysis of your code, configs, 3rd party libraries and runtime can be initiated from Copado. The results from security scans will be available in Copado.
DigitSec recommends that you prepare for this integration by opening three separate browser windows to facilitate following these steps and connecting S4 and Copado. Keeping this page open to follow the instructions closely, while you switch between S4 and Salesforce/Copado.
- Install the DigitSec S4 integration using one of the following links: https://login.salesforce.com/packaging/installPackage.apexp?p0=04t8c000000uqxk
You may encounter an installation dialog screen requesting input on Component Name Conflicts and Permissions.
It will take approximately 1-2 minutes to complete the installation.
- Next connect your integration to DigitSec S4 by adding your DigitSecCredential as Named Credential as shown below. Access the Setup menu by clicking on the gear icon in the upper right-hand corner of Salesforce, then use the Quick Find menu to navigate the left-hand navigation.
Setup > Quick Find > Named Credentials > Edit "DigitSecCredentials"
Setup Home > Settings: Security > Named Credentials: Edit "DigitSecCredentials"
Enter the username and password you use to access S4 in the appropriate fields. Remember to click the SAVE button at either the top or bottom of the screen dialog.
- Now switch browser windows to the DigitSec S4 Web App and obtain the DigitSec S4 orgId using the URL as the screen shown below. It is best to copy this value to your clipboard.
- Returning to your Salesforce/Copado window, add the DigitSec S4 orgId to the custom settings for digitsec in Salesforce. Navigate to the Custom Settings control using the left-hand navigation with the Quick Find menu.
Setup Home > Quick Find > Custom Settings
Setup Home > Platform Tools: Custom Code > Custom Settings: Manage DigitSec
One the Custom Setting: digitsec page, it is possible there aren't any values in place. Please click the New button to add one or click the Edit link if one already exists.
For the Location: Profile value, please make sure to use the Search tool to select a profile using Salesforce menus to ensure the proper object is specificed.
Use the S4 orgId value you copied to your clipboard in the previous step for the orgId input field.
Scan Commit: Make sure to only activate this checkbox if the Org credentials added in the User Story are the same as the Org connected. This option will only scan the last commit. This will trigger an automatic scan when a user commits a user story.
Scan the Entire User Story: This option will scan the entire user story AND the last commit. Make sure to activate this checkbox if the repository associated with the User Story has also been added to the integrations section in DigitSec S4 for this Org.
Please note that for each User Profile that will be initiating scans, you will need to make sure that there is a Custom Setting for that Profile and that the Profile has the Run Flows permission enabled.
- Add the DigitSec S4 Security Scan button to the User Stories page Layout as shown below. Navigate to the User Story Layout control using the left-hand navigation with the Quick Find menu.
Setup > Quick Find > Object Manager > Quick Find > User Story > Select "User Story" (copado__User_Story__c) > Page Layouts > User Story Layout > Select "Mobile & Lightning Actions" > Drag and Drop "DigitSec S4 Security Scan" button
Setup Home > Platform Tools: Objects and Fields > Object Manager > User Story (copado_User_Story_c) > Page Layouts > User Story Layout
On the main section of this page, find the User Story Layout block with the dark blue bar. In the left-most column of this block, click on Mobile and Lightning Actions. The other column in this block will refresh to show a selection of buttons. Mouseover the "DigitSec S4 Security Scan" Button and note that the mouse cursor should now appear as a crosshair rather than a pointer. Click and hold to drag the button from the User Story Layout section to the section labeled Salesforce Mobile and Lightning Experience Actions. When the button is grabbed, the target area should switch to a green background. The order of the buttons in this dialog will be reflected on the User Story detail page, so placing the DigitSec S4 Security Scan button in the top-left of the target area will mean it appears higher in the Actions menu.
Once you have positioned the button, remember to click the Save button in the upper left-hand corner of the User Story Layout Block.
- Please add DigitSec Findings to the Copado Result Object layout. Navigate to the Copado Result Object Layout control using the left-hand navigation with the Quick Find menu.
Setup > Quick Find > Object Manager > Quick Find > Result > Select "Result" (copado__Result__c) > Page Layouts > Result Layout > Click "Related Lists" > Drag and Drop DigitSecFindings to Related Lists as shown below:
Setup Home > Platform Tools: Object Manager > Result (copado_Result_c) > Page Layouts > Result Layout
On the main section of this page, find the Result Layout block with the dark blue bar. In the left-most column of this block, click on Related Lists. The other column on this block will refresh to show a selection of lists that can be added to the Result Detail section below. Mouseover "DigitSecFindings," the mouse cursor should now appear as a crosshair rather than a pointer. Click and hold to drag the list to the very bottom of the page. The Related Lists target area will display light green to indicate where you can release your mouse button once the object is positioned.
Once you have positioned the list, remember to click the Save button in the upper left-hand corner of the Result Layout Block.
- Now you can run DigitSec S4 Security Scans from Copado User Stories.
Referring to the options you selected in Step 4, you are able to scan the last commit if you enabled "Scan Commit", and/or run a scan against the entire User Story if you have selected "Scan the entire User Story" and have the repo attached to DigitSec. If neither of these are selected, S4 will run a scan against the specified Org.
- In order to scan all the changes in the User Story, you must add the repository associated with a Copado pipeline to DigitSec S4. Please refer to the GitHub, Azure, BitBucket, or GitLab docs for integration.
Important: Please do not add the webhook as that will duplicate the scans.
- In order to run a full org scan through deployments, you can add DigitSecFlow as a "Deployment Step" with the following input parameters:
- When an S4 scan is completed, the results from the scan are attached to a Copado Result object as shown below: