Sync continuous-integrates exploits

With the the release of the Integrates API I suppose this topic is almost obvious, but I’ll point it out anyway.

I see there are a lot of outdated exploits on Integrates tab, some of them even reveal secrets of the findings, so, is it possible/feasible to take these exploits directly from the continuous repo? this way we reduce the maintainability of the repos to a single point, and we can even think further, allowing the access to the exploits only to the customers who pay asserts break the build service.

I’d like to read your thoughts on this.

We thought about it back then and my answer is still the same:

If Integrates provide a uniform path and exploit name in S3, sure, we (continuous) can add a deployment phase that put exploits in the respective S3 bucket

Some things should be considered, like, what happens with exploits for one-shot hacking

I don’t think extra infrastructure is needed for this. Let’s just give integrates a read-access token to the continuous repo. Everything is already standardized there, so lets just make integrates look for the exploit belonging to the finding and pull it in raw format. In case the exploit does not exist, let the hacker upload one.

2 Likes