Integrating different security tests in GitLab Continuous Integration (CI) context

Introduction

Using Gitlab-CI you can check your application for security threats which helps to prevents vulnerabilities early in the development process, allowing to be fixed before deployment.

Here i will show you how to integrate following security tests in Gitlab CI/CD pipeline.

• Dependency Scanning
• License Scanning
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)

lets get started with Dependency Scanning by adding it to your .gitlab-ci.yml

Dependency Scanning

Automatically finds security vulnerabilities in your  dependencies  while you are developing and testing your applications, such as when you are using an external (open source) libraries with known vulnerabilities

image: node:latest
   stages:
    - dependency_scanning
   cache:
      paths:
        - node_modules/
   dependency_scanning:
      stage: dependency_scanning
      only: 
         - merge_requests
      image: docker:stable
      variables:
         DOCKER_DRIVER: overlay2
      allow_failure: true
      services:
         - docker:stable-dind
      script:
         - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
         - docker run
            --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
            --volume "$PWD:/code"
            --volume /var/run/docker.sock:/var/run/docker.sock
            "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
      artifacts:
         paths: [gl-dependency-scanning-report.json]

As you can see in the yaml this testing will only triggered for merge requests. The result of the test will be available in Artifacts [gl-dependency-scanning-report.json]. You can download this from GitLab Pipelines page.

Static Application Security Testing (SAST)

We can analyze our source code for vulnerabilities using the SAST (Static Application Security Testing). Integrate the following stage to your existing.gitlab-ci.yml file.

sast:
      stage: sast
      only: 
         - merge_requests
      image: docker:stable
      variables:
         DOCKER_DRIVER: overlay2
      allow_failure: true
      services:
         - docker:stable-dind
      script:
         - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
         - docker run
            --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
            --volume "$PWD:/code"
            --volume /var/run/docker.sock:/var/run/docker.sock
            "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
      artifacts:
         paths: [gl-sast-report.json]

Dependency Scanning

This is very helpful when your application is using an external (open source) library which is known to be vulnerable. In order to integrate this Dependency scanning, you can integrate given stage to your existing .gitlab-ci.yml file

dependency_scanning:
      stage: dependency_scanning
      only: 
         - merge_requests
      image: docker:stable
      variables:
         DOCKER_DRIVER: overlay2
      allow_failure: true
      services:
         - docker:stable-dind
      script:
         - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
         - docker run
            --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
            --volume "$PWD:/code"
            --volume /var/run/docker.sock:/var/run/docker.sock
            "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
      artifacts:
         paths: [gl-dependency-scanning-report.json]

Result will be available as gl-dependency-scanning-report.json in artifacts.

License Management

This stage searches our project dependencies for their licenses. Just integrate the given stage in your existing .gitlab-ci.yml

License Management report, compares the licenses between the source and target branches, and shows the information right on the merge request. Blacklisted licenses will be highlighted with an x red icon next to it.

   license_management:
      stage: license_management
      only: 
         - merge_requests
      image: docker:stable
      variables:
         DOCKER_DRIVER: overlay2
      allow_failure: true
      services:
         - docker:stable-dind
      script:
         - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
         - docker run
            --env SOURCE_CODE="$PWD"
            --volume "$PWD":/code
            --rm
            "registry.gitlab.com/gitlab-org/security-products/license-management:latest" analyze /code
      artifacts:
         paths: [gl-license-management-report.json]

Our final .gitlab-ci.yml should look like this.

image: node:latest
   stages:
    - dast
    - dependency_scanning
    - sast
    - license_management
   cache:
      paths:
        - node_modules/
   dast:
      stage: dast
      only: 
         - merge_requests
      image: docker:stable
      variables:
         DOCKER_DRIVER: overlay2
      allow_failure: true
      services:
         - docker:stable-dind
      script:
         docker run 
            --interactive --rm 
            --volume $(pwd)/wrk:/output:rw 
            --volume $(pwd)/wrk:/zap/wrk:rw 
            registry.gitlab.com/gitlab-org/security-products/dast:${VERSION:-latest} /analyze -t http://example.com -r report.html
      artifacts:
         paths: [wrk/gl-dast-report.json,wrk/report.html]
   
   dependency_scanning:
      stage: dependency_scanning
      only: 
         - merge_requests
      image: docker:stable
      variables:
         DOCKER_DRIVER: overlay2
      allow_failure: true
      services:
         - docker:stable-dind
      script:
         - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
         - docker run
            --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
            --volume "$PWD:/code"
            --volume /var/run/docker.sock:/var/run/docker.sock
            "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
      artifacts:
         paths: [gl-dependency-scanning-report.json]
   
         
   sast:
      stage: sast
      only: 
         - merge_requests
      image: docker:stable
      variables:
         DOCKER_DRIVER: overlay2
      allow_failure: true
      services:
         - docker:stable-dind
      script:
         - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
         - docker run
            --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
            --volume "$PWD:/code"
            --volume /var/run/docker.sock:/var/run/docker.sock
            "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
      artifacts:
         paths: [gl-sast-report.json]
                    
                
   
   license_management:
      stage: license_management
      only: 
         - merge_requests
      image: docker:stable
      variables:
         DOCKER_DRIVER: overlay2
      allow_failure: true
      services:
         - docker:stable-dind
      script:
         - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
         - docker run
            --env SOURCE_CODE="$PWD"
            --volume "$PWD":/code
            --rm
            "registry.gitlab.com/gitlab-org/security-products/license-management:latest" analyze /code
      artifacts:
         paths: [gl-license-management-report.json]