Application Security

A Case Study of Creating Automation on the Conviso Platform

One of the rules for process improvement is automation, automating everything we can to optimize time and decrease failures and rework. In this article, we want to show how we can facilitate the routines of our secure development cycle that integrates with the Conviso Platform, this powerful SaaS tool created by Conviso. For this purpose, we will consider a platform use case regarding the creation of a “project” in the Conviso Platform in an automatic way and, at the same time, the creation of a card, or task in another tool, Click-up.

It is possible to create several custom automation using the Conviso Platform services through APIs available both in REST and GraphQL. The Conviso documentation has more details.

Remembering that the “project” structure in the platform is the way we organize the various types of AppSec demands, it’s worth mentioning some types to warm up your memory: threat modeling; automated analysis (AST), and the famous pentest. It is also important to say that it is through the “project” that we relate the asset, what we must secure, and the vulnerabilities. To mention an example of an asset: microservice is an example of an asset that the platform can manage.

Case study

Our scenario is to create demands on both the Conviso Platform and Click-up, a project management tool. Despite this context, the automation used can be adapted to other cases and tools, easily.

Considering the creation of the “project” in the Conviso Platform and the “task” in Click-up, our script asks for some information. We will need this information in the configuration criteria to create it in the proper place in each system. And of course, the data pertinent to the demand to keep both tools synchronized with the same information.

Prerequisites for performing use case automation

To use the APIs we need the credentials of each software:

  • Conviso Platform API key;
  • ClickUp integration API key.

To run the automation script, we need a running Python environment.

Step 1: Get API key from Conviso Platform

Once logged into the Conviso Platform we get the API key by clicking on the top right corner, “user”; then on the “Edit Profile” menu:

Then select the “API Key” tab; then the “Generate” button and finish with “Confirm”:

Step 2: Get the Click-Up integration API key

The Click-up integration API key can be generated from the URL below, with the detail that it needs to replace your “Click-up id”:<REPLACEYOUR-ID-IN-THE-CLICKUP>/settings/apps

Once the page is loaded, use the “generate” button. As illustrated in the following image:

Step 3: Set up Python runtime environment

To run the script we need an environment running Python. The setup is simple and will vary depending on your operating system. Feel free to perform this step as is best or usual for you. In our case, we use Python on Windows, running on Visual Code.

Step 4: Getting the script

The script for our use case is available in our repository: integration_platform_clickup on GitHub. Pass the code to your machine as you prefer: clone, download… Feel free to use GitHub as usual.

“Convisolabs” is our public repository with some projects that contribute to application security. Specifically, in the “runbooks” folder we find the existing automations of the current contributions.  Your input and suggestions are sincerely welcome.

Step 5: Configure Environment Variables

As you can see in the image below the code snippet, in order not to store the API access credentials in the source code, we use the environment variables. So, you will need to create the following two variables in your operating system and assign the values obtained in step one and two, respectively:


Step 6: Running the automation

Now it’s time to run our Python script!

Besides the environment variables from the previous step, we need to take care of the other variables in our “” file. These are the configuration information we mentioned at the beginning of the article. Part of this revision are: i) the “URLs” of the tools, which must correspond correctly to the environment that will be used; and ii) the “CLICKUP_LIST_PROJECTS”, identification of the Click-up list or board. See the image below:

Besides the installed Python we also need the requests. To do so, use the command:

pip3 install requests

Then, to run the automation use the following command from the script directory:


We have arrived at the use of our automation. Now we can go with option 1 and enter the requested information and the project and task will be created on the Conviso Platform and Click-up saving us time.

Creating automations on the Conviso Platform

Conviso Platform provides a number of APIs to customize the use of the services. We even have a dedicated article explaining how to automatically validate the requirements according to vulnerabilities registered in the platform with a Python script available in our repository: runbooks/requirements’s_automation at main – convisolabs/runbooks ( It also offers Clickup integration and integration with Jira and GitHub among other tools.

Remember that in your CI/CD conveyor automations we have options to automate Conviso Platform services like this our use case for project creation and count on Conviso for the security of your applications!

Nova call to action
About author


Professional in the technology area for over 16 years. A technologist from ETE, a bachelor's degree in Systems Analysis and Information Technology from Fatec, and a postgraduate (MBA) in Management and Governance of Information Technology by FIAP. Throughout his career, he has developed several systems, in different market technologies, both web and mobile, and participated in all cycles of the reformulation project of the 'Customer Mobile App' of Liberty Seguros SA, winner in the category Insurance Application of the "eFinance 2017 Award", one of the primary technology awards for the finance area. He acts as a squad leader in the Consulting team taking the AppSec culture to customers.
Related posts
Application Security

Finding classes for exploiting Unsafe Reflection / Unchecked Class Instantiation vulnerabilities in Java with Joern

During a pentest engagement we found a Java application vulnerable to unsafe reflection [1]. This…
Read more
Application Security

Mitigating Vulnerabilities: Elevating Security Proficiency in Software Development

In the ever-evolving digital landscape, the significance of software security cannot be overstated.
Read more
Application Security

The Importance of Supply Chain to Application Security

When we think about software development, we usually think about complex technical concepts…
Read more

Deixe um comentário