Getting Zeridian

Zeridian Security and Compliance (Beta) helps organizations secure, monitor, and manage their open-source applications. The Zeridian beta release program is for developers, and IT and engineering users who produce, deploy, operate, or maintain applications written in Python.

You can use the Zeridian platform to:

  • Automatically identify security vulnerabilities and protect your code from development to production
  • Automatically detect out-of-compliance licenses and prevent costly legal issues
  • Gather actionable intelligence from the Zeridian web application

The Zeridian platform is comprised of four components:

  1. ActivePython: For the Zeridian beta, Python is the only supported language distribution. You can use an existing installation or download a supported version at https://www.activestate.com/activepython/downloads. The latest releases of ActivePython are all supported:

    • ActivePython 3.6.0.3600
    • ActivePython 3.5.3.3505
    • ActivePython 2.7.13.2715
  2. Zeridian web application: Sign in to Zeridian at http://zeridian-beta.activestate.com. The credentials you use to sign in are in the email sent to you at the start of the beta testing period. For more information, see Accessing the Zeridian web application. The results of each Python application scan are uploaded to the Zeridian web application. You can log in to your organization’s account to view detailed information about any identified vulnerabilities.

  3. Zeridian plugin for ActivePython: In order to scan your Python applications for vulnerabilities, you must add the Zeridian plugin package to the ActivePython interpreter using the Pip package manager. Each installation of the interpreter that you want to enable scanning for must have the Zeridian plugin package installed. For more information, see Installing the Zeridian plugin.

  4. zeridian.config: The Zeridian configuration file allows you control settings for the Zeridian interpreter, such as whether logging is enabled, and to specify how interpreter scan results will be organized in the Zeridian web application. Identities provide a flexible way to group scan and vulnerability data by user, computer, or by organizational unit. For more information, see Creating zeridian.config.

Accessing the Zeridian web application

  1. Navigate to https://zeridian-beta.activestate.com.
  2. In the login page, enter the email address you signed up for the beta with and the password supplied by ActiveState.
  3. Click Sign in.
  4. The first time you log in to Zeridian, you must read the Zeridian Beta Terms of Use Agreement and click Accept at the bottom of the page before you can continue to the Dashboard.

Note: If you run into any issues while signing in, contact the Zeridian team at zeridian-beta@activestate.com.

Installing the Zeridian plugin

The Zeridian plugin is a read-only Python package that identifies the modules and packages being loaded when your applications are run by the ActivePython interpreter. Using this information, Zeridian automatically identifies vulnerabilities, outdated package versions, and improper licensing.

  1. Open your web browser and navigate to the Zeridian web application at http://zeridian-beta.activestate.com and sign in. The credentials you use to sign in are in the email sent to you at the start of the beta testing period.
  2. Click the Get the Plugin link in the navigation bar.
  3. Click the blue button to download and save the latest version of the Zeridian Plugin (zeridian-0.2.6.tar.gz). You do not need to extract the tarball (.tar.gz) file.
  4. You need to use pip to install the Zeridian plugin:
    1. Open a command prompt, and navigate to the directory where you saved the Zeridian Plugin.
    2. Run pip install zeridian-<version>.tar.gz (ActivePython 2.7.x) or pip3 install zeridian-<version>.tar.gz (ActivePython 3.5.x or 3.6.x).

Tip: If you run into issues installing the plugin with pip, ensure that pip/pip3 is on your path or enter the full path to the pip/pip3 executable. You can also try the alternative syntax: python3 -m pip install zeridian-<version>.tar.gz

Creating zeridian.config

The Zeridian configuration file is used to manage basic settings, such as whether debugging is turned on. It also determines how scan data is grouped in the Zeridian web application through the use of Identities. An Identity is a grouping of Zeridian scan results. An Identity can group together all of the ActivePython applications run by an individual user, all of instances of an application that run regardless of the computer they run on, or some other grouping.

  1. Create a new text file called zeridian.config.
  2. Add the required information to the configuration file in one of the following ways:

    • Navigate to the Get the Plugin page in Zeridian dashboard and copy and paste the contents of the sample config file into you local file.
    • Enter the required information in the following format:
    Identity = <unique identity identifier>
    URL = https://zeridian-beta.activestate.com
    Debug = True | False
    

    For example:

    Identity = 60e7fca3-2f81-46d2-ad53-a986fd265b3d
    URL = https://zeridian-beta.activestate.com
    Debug = True
    
  3. Save the configuration file to the appropriate location on you system.

    • Windows:
      • Save the file in your user directory (i.e. C:\Users\<username>) to use the same identity for all applications you run, or
      • Save the file in one or more application working directories to use an identity for the specified applications, or
      • Create an environment variable named ZERIDIAN_CONFIG and set it to the location of the zeridian.config file.
    • Linux or MacOS:
      • Save the file to your home directory (~/zeridian.config) to have it apply to just the applications you run, or
      • Save the file in the /etc directory to have it apply to all applications running on the computer (/etc/zeridian.config), or
      • Save it to the working directories for individual applications to have it only apply to those applications, or
      • Create an environment variable named ZERIDIAN_CONFIG and set it to the location of the zeridian.config file.

For more information, see Zeridian platform configuration.

Tips:

  • If you want to view Zeridian debugging information while you are using the interpreter, you can change the final line of the zeridian.config file to Debug = True. This is a good way to ensure that the plugin is working correctly when you first run the interpreter on a new system.

  • You can also adjust the connection timeout and response timeout values, if necessary:

    • ConnectTimeout - Seconds for connection timeout. For example: ConnectTimeout = 0.2
    • ResponseTimeout - Seconds fro response timeout. For example: ResponseTimeout = 0.05