One of the rules for process improvement is automation, automating everything we can to optimize time and decrease failures and rework. In this article, we want to show how we can facilitate the routines of our secure development cycle that integrates with the Conviso Platform, this powerful SaaS tool created by Conviso. For this purpose, we will consider a platform use case regarding the creation of a “project” in the Conviso Platform in an automatic way and, at the same time, the creation of a card, or task in another tool, Click-up.
It is possible to create several custom automation using the Conviso Platform services through APIs available both in REST and GraphQL. The Conviso documentation has more details.
Remembering that the “project” structure in the platform is the way we organize the various types of AppSec demands, it’s worth mentioning some types to warm up your memory: threat modeling; automated analysis (AST), and the famous pentest. It is also important to say that it is through the “project” that we relate the asset, what we must secure, and the vulnerabilities. To mention an example of an asset: microservice is an example of an asset that the platform can manage.
Case study
Our scenario is to create demands on both the Conviso Platform and Click-up, a project management tool. Despite this context, the automation used can be adapted to other cases and tools, easily.
Considering the creation of the “project” in the Conviso Platform and the “task” in Click-up, our script asks for some information. We will need this information in the configuration criteria to create it in the proper place in each system. And of course, the data pertinent to the demand to keep both tools synchronized with the same information.
Prerequisites for performing use case automation
To use the APIs we need the credentials of each software:
- Conviso Platform API key;
- ClickUp integration API key.
To run the automation script, we need a running Python environment.
Step 1: Get API key from Conviso Platform
Once logged into the Conviso Platform we get the API key by clicking on the top right corner, “user”; then on the “Edit Profile” menu:
Then select the “API Key” tab; then the “Generate” button and finish with “Confirm”:
Step 2: Get the Click-Up integration API key
The Click-up integration API key can be generated from the URL below, with the detail that it needs to replace your “Click-up id”:
https://app.clickup.com/<REPLACEYOUR-ID-IN-THE-CLICKUP>/settings/apps
Once the page is loaded, use the “generate” button. As illustrated in the following image:
Step 3: Set up Python runtime environment
To run the script we need an environment running Python. The setup is simple and will vary depending on your operating system. Feel free to perform this step as is best or usual for you. In our case, we use Python on Windows, running on Visual Code.
Step 4: Getting the script
The script for our use case is available in our repository: integration_platform_clickup on GitHub. Pass the code to your machine as you prefer: clone, download… Feel free to use GitHub as usual.
“Convisolabs” is our public repository with some projects that contribute to application security. Specifically, in the “runbooks” folder we find the existing automations of the current contributions. Your input and suggestions are sincerely welcome.
Step 5: Configure Environment Variables
As you can see in the image below the code snippet, in order not to store the API access credentials in the source code, we use the environment variables. So, you will need to create the following two variables in your operating system and assign the values obtained in step one and two, respectively:
- CONVISO_PLATFORM_TOKEN;
- CLICKUP_TOKEN.
Step 6: Running the automation
Now it’s time to run our Python script!
Besides the environment variables from the previous step, we need to take care of the other variables in our “app.py” file. These are the configuration information we mentioned at the beginning of the article. Part of this revision are: i) the “URLs” of the tools, which must correspond correctly to the environment that will be used; and ii) the “CLICKUP_LIST_PROJECTS”, identification of the Click-up list or board. See the image below:
Besides the installed Python we also need the requests. To do so, use the command:
pip3 install requests
Then, to run the automation use the following command from the script directory:
python3 app.py
We have arrived at the use of our automation. Now we can go with option 1 and enter the requested information and the project and task will be created on the Conviso Platform and Click-up saving us time.
Creating automations on the Conviso Platform
Conviso Platform provides a number of APIs to customize the use of the services. We even have a dedicated article explaining how to automatically validate the requirements according to vulnerabilities registered in the platform with a Python script available in our repository: runbooks/requirements’s_automation at main – convisolabs/runbooks (github.com). It also offers Clickup integration and integration with Jira and GitHub among other tools.
Remember that in your CI/CD conveyor automations we have options to automate Conviso Platform services like this our use case for project creation and count on Conviso for the security of your applications!
