Skip to content

add local EdgeScan setup instructions and prerequisites #340

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
SevenThomas wants to merge 7 commits into
base: main
Choose a base branch
from
+144 −5
Open

add local EdgeScan setup instructions and prerequisites #340

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
3190ec5
docs(intro): add local EdgeScan setup instructions and prerequisites
SevenThomas Jan 22, 2026
4c00129
Implement EdgeScan Local Dev Command with Apple Native Containers (ma…
SevenThomas Jan 23, 2026
aade970
Merge branch 'main' into SevenThomas/issue339
SevenThomas Jan 23, 2026
81ca06d
Merge branch 'main' into SevenThomas/issue339
SevenThomas Jan 27, 2026
8771418
Add EdgeScan CI/CD integration and update pipeline stages
SevenThomas Jan 27, 2026
c937ffc
Add missing variable group for EdgeScan credentials in pipeline
SevenThomas Jan 27, 2026
1a7b467
Merge branch 'main' into SevenThomas/issue339
SevenThomas Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 50 additions & 1 deletion apps/docs/docs/intro.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ Clone the Sharethrift repository and set up the development environment:
```bash
git clone https://github.com/Sharethrift/sharethrift.git
cd sharethrift
```
```i

Install dependencies and build the project:

Expand Down Expand Up @@ -67,3 +67,52 @@ Sharethrift follows these core patterns:
- **API Layer**: GraphQL and REST endpoints via Azure Functions

Open any file in the `packages/` directory and start exploring: the project uses hot reloading for rapid development!

## Local EdgeScan Setup

EdgeScan is a Dynamic Application Security Testing (DAST) platform that scans live running applications to identify runtime vulnerabilities and security weaknesses. Unlike static analysis tools like Snyk or SonarCloud that scan source code, EdgeScan tests the actual deployed application behavior.

### How to use

- Use `pnpm run edgescan:dev` to run local security validation scans.
- **DO NOT** use `edgescan:agent` locally; it is strictly reserved for the GitHub Copilot AI Coding Agent and CI/CD automation.

### Prerequisites

#### 1. Apple Native Containers

One-time setup for macOS developers:

1. Download the signed installer package from Apple's container releases page.
2. Run the installer.
3. Start the container system with:
```bash
container system start
```
Input 'Y' when prompted.
4. Confirm it is working with:
```bash
container system status
```
Expected output:
```
container system status
apiserver is running
```

#### 2. EdgeScan API Token

1. Log in to https://intealth.edgescan.com
2. Go to Profile Settings and generate an API token
3. Export it in the terminal (optionally add to ~/.zshrc or ~/.bashrc for persistence):
```bash
export ES_API_TOKEN="your token here"
```

#### 3. EdgeScan Asset ID

This is the asset you want to scan (provided by the EdgeScan team or available from the EdgeScan UI). Export it:

```bash
export ES_ASSET_ID="your asset id here"
```
11 changes: 10 additions & 1 deletion azure-pipelines.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ pool:
vmImage: ubuntu-latest

variables:
- group: edgescan-credential-sharethrift
- group: sonarcloud-credential-sharethrift
- group: github-credential-sharethrift
- group: ui-sharethrift-settings-sharethrift
Expand Down Expand Up @@ -62,4 +63,12 @@ stages:
resourceGroupName: 'rg-sharethrift'
appSettingsJsonFileRelativePathPri: 'apps/api/build-pipelines/config/dev-pri.json'
frontDoorProfileName: 'simnova-afd'
frontDoorEndpointName: 'sth-fde-bzbjd6edbfhmcnam'
frontDoorEndpointName: 'sth-fde-bzbjd6edbfhmcnam'


- template: ./build-pipeline/core/monorepo-edgescan-stage.yml
parameters:
stageName: 'EdgeScan_DEV'
dependsOn: 'DEV'
vmImageName: $(vmImageName)
esAssetId: $(ES_ASSET_ID_DEV)
79 changes: 79 additions & 0 deletions build-pipeline/core/monorepo-edgescan-stage.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
parameters:
- name: stageName
type: string
default: 'EdgeScan'
- name: dependsOn
type: string
- name: esAssetId
type: string
- name: vmImageName
type: string
default: 'ubuntu-latest'

stages:
- stage: ${{parameters.stageName}}
displayName: 'EdgeScan Security Scan'
dependsOn: ${{parameters.dependsOn}}
condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest'))
jobs:
- job: EdgeScan
displayName: 'EdgeScan CI/CD Integration'
variables:
# Generates a monthly key like "2026-01" to ensure the image is refreshed monthly
cacheMonth: $[format('{0:yyyy-MM}', pipeline.startTime)]
pool:
vmImage: ${{parameters.vmImageName}}
steps:
- task: Cache@2
displayName: 'Cache EdgeScan Docker Image'
inputs:
key: 'docker | edgescan | latest | $(cacheMonth)'
path: $(Pipeline.Workspace)/docker-cache
cacheHitVar: DOCKER_CACHE_HIT

- task: Bash@3
displayName: 'Pull or Restore EdgeScan Image'
inputs:
targetType: 'inline'
script: |
set -euo pipefail
mkdir -p $(Pipeline.Workspace)/docker-cache

if [ "${DOCKER_CACHE_HIT:-}" = "true" ] && [ -f "$(Pipeline.Workspace)/docker-cache/edgescan.tar" ]; then
echo "Restoring EdgeScan image from cache..."
docker load -i $(Pipeline.Workspace)/docker-cache/edgescan.tar
else
echo "Cache miss or missing tarball. Pulling from Docker Hub..."
docker pull edgescan/cicd-integration:latest
echo "Saving image to cache for future runs..."
docker save edgescan/cicd-integration:latest -o $(Pipeline.Workspace)/docker-cache/edgescan.tar
fi

- task: Bash@3
displayName: 'Run EdgeScan Scan'
inputs:
targetType: 'inline'
script: |
set -euo pipefail

if [ -z "$ES_API_TOKEN" ]; then
echo "Error: ES_API_TOKEN must be set in the variable group."
exit 1
fi

if [ -z "${{ parameters.esAssetId }}" ]; then
echo "Error: ES_ASSET_ID_DEV must be set in the variable group."
exit 1
fi

echo "Triggering EdgeScan for Asset ID: ${{ parameters.esAssetId }}"

docker run --tty --rm \
edgescan/cicd-integration:latest \
--api-token "$ES_API_TOKEN" \
--asset-id "${{ parameters.esAssetId }}" \
--start-scan \
--max-risk-threshold 3 \
--wait --color
env:
ES_API_TOKEN: $(ES_API_TOKEN)
2 changes: 1 addition & 1 deletion knip.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,5 +96,5 @@
"tsx",
"vite"
],
"ignoreBinaries": ["func"]
"ignoreBinaries": ["func", "container"]
}
6 changes: 4 additions & 2 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,10 @@
"snyk:code": "snyk code test --org=simnova --remote-repo-url=https://github.com/simnova/sharethrift --severity-threshold=medium",
"snyk:code:report": "snyk code test --org=simnova --remote-repo-url=https://github.com/simnova/sharethrift --target-reference=main --project-name=sharethrift-code --report",
"snyk:iac": "snyk iac test iac/**/*.bicep apps/**/iac/**/*.bicep --org=simnova --remote-repo-url=https://github.com/simnova/sharethrift",
"snyk:iac:report": "snyk iac test iac/**/*.bicep apps/**/iac/**/*.bicep --org=simnova --remote-repo-url=https://github.com/simnova/sharethrift --target-reference=main --target-name=sharethrift-iac --report"
},
"snyk:iac:report": "snyk iac test iac/**/*.bicep apps/**/iac/**/*.bicep --org=simnova --remote-repo-url=https://github.com/simnova/sharethrift --target-reference=main --target-name=sharethrift-iac --report",
"edgescan:agent": "docker run --tty --rm edgescan/cicd-integration:latest --api-token $ES_API_TOKEN --asset-id $ES_ASSET_ID --start-scan --max-risk-threshold 3 --wait --color",
"edgescan:dev": "container run --tty --rm --platform linux/amd64 edgescan/cicd-integration:latest --api-token $ES_API_TOKEN --asset-id 74469 --start-scan --max-risk-threshold 3 --wait --color"
},
"pnpm": {
"auditConfig": {
"ignoreGhsas": [
Expand Down