This repository is an example of how to install the Contrast Security Agent in a Python Flask application.
The agent runs as part of your Python application code and serves as an all-encompassing static code scanner, SCA tool, IAST agent and runtime self-protection tool. For more information, check out their website and Community Edition.
- Original vulnerable application source code taken from: dolevf/Damn-Vulnerable-GraphQL-Application
- Only changes made are to instrument the application with Contrast Security
A step-by-step guide for implementing the Agent in this specific application, instrumentation requirements vary per technology stack. Please refer to the official Contrast Security Documentation for more information.
The agent is installed as a package from PyPi and can be found
here. You can either install it
manually using the pip
command or by adding it to your project's
requirements.txt
or setup.py
configuration.
pip install contrast-agent
Wrap the Flask application app
object with the Contrast Security Agent
middleware component.
📑Damn-Vulnerable-GraphQL-Application/app.py#9-13
:
...
import contrast
from contrast.flask import ContrastMiddleware # <-- Import here
app = Flask(__name__, static_folder="static/")
app.wsgi_app = ContrastMiddleware(app) # <-- Wrap middleware here
...
Using the YAML template provided, or by downloading a YAML template from the Contrast web portal, we can configure the agent:
contrast_security.yml
:
api:
url: https://eval.contrastsecurity.com/Contrast
api_key: XXX
service_key: XXX
user_name: XXX@XXX
application:
name: VulnerableApp-Python-Demo
code: demo-3
agent:
service:
host: localhost
port: 30555
⚠️ Do not commit API credentials to your GitHub repo!: A templatecontrast_security.yml.dist
file has been provided for your convenience. Copy this file tocontrast_security.yml
and add your API details. This file is already added to.gitignore
- ensure you don't accidentally remove this or add it anyway.
The Dockerfile in this repo adds this file into the build at the default
location of /opt/contrast/contrast_security.yaml
.
Now run your application and browse around the pages as you normally would. If everything worked, then when you next go to your Contrast Security dashboard you'll see details for the new application and any security issues that have been detected.
A list of resources that I found particularly useful when attempting this: