# Sending Build and Deployment Events to SSD This page explains in detail on how to send build metadata, artifact details, and deployment information from an AWS CodeBuild / CodeDeploy pipeline to the SSD (Security, Safety & Delivery) Scanner using API calls. It includes: * Required AWS environment variables * Steps to add after pushing images to Artifactory/ECR * Correct Git URL formatting * SSD configuration (Teams, Integrators, Tokens) ### Prerequisites The AWS Pipeline must be able to: * Build the application * Push Docker images to Artifactory / ECR {% hint style="info" %} If the data needs to be mapped to a specific team, creating a team is required. Otherwise, this field is optional and can be left empty. Refer [Managing Teams and Access](https://docs.opsmx.com/opsmx-delivery-shield-platform/user-guide/manage-teams-and-access). {% endhint %} The Bitbucket and ECR integrators needs to be integrated. Refer [Integrating BitBucket](https://docs.opsmx.com/opsmx-delivery-shield-platform/getting-started/integrating-ci-and-cd-tools-in-delivery-shield/bitbucket) and [Integrating ECR](https://docs.opsmx.com/opsmx-delivery-shield-platform/getting-started/integrating-registry-in-delivery-shield/ecr) on steps to complete the process. ### Required AWS Environment Variables The following environment variables are required in AWS CodeBuild: | **Variable** | **Description** | | ---------------- | ----------------------------------- | | SSD\_URL | Base URL of the SSD instance | | SSD\_TEAM\_TOKEN | API token for team authentication | | GIT\_URL | Repository URL (format shown below) | | GIT\_BRANCH | Branch being built | | DOCKER\_IMAGE | Pushed Docker image name | | DOCKER\_TAG | Tag of the image | #### Mandatory Git URL Format \/\.git {% hint style="info" %} If image name/tag variables are already configured in your environment, you can utilize those existing pipeline variables. {% endhint %} ### Pipeline Step: Sending Build Metadata to SSD Add the following code immediately after pushing the image to Artifactory/ECR: ``` echo "Sending metadata to SSD Scanner..." curl --location "${SSD_URL}/webhook/v1/ssd" \ --header "Content-Type: application/json" \ --header "X-OpsMx-Auth: ${SSD_TEAM_TOKEN}" \ --data "{ \"jobname\": \"${CODEBUILD_BUILD_ID}\", \"buildnumber\": \"${CODEBUILD_BUILD_NUMBER}\", \"joburl\": \"${CODEBUILD_BUILD_URL}\", \"gitcommit\": \"${CODEBUILD_RESOLVED_SOURCE_VERSION}\", \"builduser\": \"aws-codebuild\", \"giturl\": \"${GIT_URL}\", \"gitbranch\": \"${GIT_BRANCH}\", \"artifacts\": [ { \"image\": \"${DOCKER_IMAGE}:${DOCKER_TAG}\" } ] }" ``` ### Login to ECR & Fetch Artifact SHA To login to ECR and fetch the artifact SHA execue the below code: ``` aws ecr get-login-password --region AWS.REGION \ | docker login --username AWS --password-stdin AWS.ACCOUNT.dkr.ecr.REGION.amazonaws.com echo "Fetching the Artifact SHA..." ARTIFACT_SHA=$(docker manifest inspect ${DOCKER_IMAGE}:${DOCKER_TAG} --verbose | jq -r .Descriptor.digest) echo "Artifact SHA: $ARTIFACT_SHA" echo "Sleeping for 30 seconds..." sleep 30 ``` ### Trigger SSD Data Collection (with Retry Logic) To trigger SSD data collection, execute the following code: ``` echo "Triggering Data Collection API..." MAX_RETRIES=1000 RETRY_INTERVAL=10 attempt=1 while [ $attempt -le $MAX_RETRIES ]; do echo "Attempt #$attempt: Triggering Data Collection..." RESPONSE_FILE=$(mktemp) HTTP_STATUS=$(curl -s -o "$RESPONSE_FILE" -w "%{http_code}" \ -X POST "${SSD_URL}/webhook/api/v1/datacollection" \ -H "Content-Type: application/json" \ -H "X-OpsMx-Auth: ${SSD_TEAM_TOKEN}" \ -d "{ \"artifactName\": \"${DOCKER_IMAGE}\", \"artifactTag\": \"${DOCKER_TAG}\", \"organizationName\": \"${ORGANISATION_NAME}\", \"artifactSha\": \"$ARTIFACT_SHA\" }") echo "HTTP Status: $HTTP_STATUS" cat "$RESPONSE_FILE" if [ "$HTTP_STATUS" -eq 200 ]; then echo "Data Collection Triggered Successfully." break fi echo "Data Collection Failed. Retrying in $RETRY_INTERVAL seconds..." sleep $RETRY_INTERVAL attempt=$((attempt + 1)) done if [ $attempt -gt $MAX_RETRIES ]; then echo "Timed out waiting for Data Collection API to return HTTP 200." exit 1 fi ``` To retrieve the necessary ORGANISATION\_NAME information from the SSD Dashboard, follow these steps: 1. Go to Setup. 2. Navigate to **Access Management**. {% hint style="info" %} This information is required for ORGANISATION\_NAME. {% endhint %} ### Firewall API (Policy Enforcement Before Deployment) To access the firewall API execute the following code: ``` echo "Calling the Firewall API..." RESPONSE=$(curl --silent --location "${SSD_URL}/ssdservice/v1/ssdFirewall" \ --header "Content-Type: application/json" \ --header "X-OpsMx-Auth: ${SSD_TEAM_TOKEN}" \ --data "{ \"teamName\": \"UPDATE.TEAM.NAME\", \"appName\": \"APP.NAME.IN.OPSMX.DASHBOARD\", \"account\": \"${BUILD_ENV}\", \"clusterName\": \"PROVIDE.ANY.VALUE\", \"image\": \"${DOCKER_IMAGE}:${DOCKER_TAG}\" }") echo "Response: $RESPONSE" ALLOW=$(echo "$RESPONSE" | jq -r '.allow') PERMISSION=$(echo "$RESPONSE" | jq -r '.proceedWithPermissionCheck') MESSAGE=$(echo "$RESPONSE" | jq -r '.message') if [[ "$ALLOW" == "true" && "$PERMISSION" == "true" ]]; then echo "✅ SSD Firewall check passed." else echo "$MESSAGE" echo "❌ SSD Firewall check failed. Exiting pipeline." exit 1 fi ``` | **Field** | **Description** | | ----------- | ------------------------------------- | | teamName | Must match the Team configured in SSD | | appName | Application name displayed in SSD UI | | account | Must match name in Clusters page | | clusterName | Any user-defined cluster label | ### Generating a Team Token in SSD 1. Click on the name of the **Team** (given as tabs in the Teams panel) for which you want to generate token as shown below:
2. The details of the **Team** along with its **User Roles** are displayed. 3. Click **Generate Token** button as shown below:
4. A token is created and a success message is displayed as shown:
5. Copy & store the token securely ### Points to Remember * SSD\_URL and SSD\_TEAM\_TOKEN must be defined in AWS CodeBuild environment variables * Pipeline IAM must allow: * ECR authentication * Docker manifest inspect * External API calls * After configurations: * Re-run the pipeline via AWS console or PR/Push event * Wait 5 minutes for SSD Dashboard to update the latest results * Ensure there are no errors in the AWS build logs --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.opsmx.com/delivery-shield-platform/sending-build-and-deployment-events-to-ssd.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.