6. Add Security Scans, GitLab Pages, and Deploy
Introduction
This section will add GitLab security scans for Secret Detection, SAST, and Dependency scanning to the pipeline. Mock vulnerabilities have been added to trigger findings which will be viewed in the Vulnerability Report, as well as via GitLab Pages using a custom parsing job for the scan report artifacts. Dependency scans will also generate the application's Dependency List / Software Bill of Material (SBOM)
Security Findings
-
1. In your demo project, find the 6-security-analyzers
branch inCode > Branches
-
2. Next to the branch name, click New
to create a new Merge Request from this branch -
3. Click Create Merge Request
-
4. Review the changes to the .gitlab-ci.yml file, as well the files added to the project repository: - The templates in the include section have been extended with jobs for Static Application Security Testing (SAST), Secret Detection, and Dependency Scanning
- By default, the SAST and Secret Detection Jobs run in the
test
stage. An override runs these jobs in a newsecurity
stage. - Both jobs have also been overridden with an empty
needs
keyword, meaning they will start as soon as the pipeline begins.
- By default, the SAST and Secret Detection Jobs run in the
- The file mock_leaked_secret was added to the repository with a fake API key.
- This will trigger a finding in Secret Detection analyzer.
- The file mock_insecure_app.js with an eval statement that can execute arbitrary code.
- This will trigger a finding in the SAST analyzer.
- Two additional jobs,
parse_vulns
andpages
, have been added to demonstrate how vulnerability findings in the security job report artifacts can be parsed and published via GitLab Pages - Last, a
deploy
job has been added which will be included in pipelines triggered by commits to the default branch.- When triggered manually, this job will pull the container image built by the pipeline and deploy it to a production environment (the job in this demo uses a placeholder for where the actual deployment script would go).
- The templates in the include section have been extended with jobs for Static Application Security Testing (SAST), Secret Detection, and Dependency Scanning
-
5. In the left hand navigation menu, click Build
->Pipelines
, then clickRun Pipeline
in the top right corner. Select to run the pipeline on the6-security-analyzers
branch, then clickRun Pipeline
-
6. Navigate back to the Merge Request ( Code
->Merge Requests
) and wait for the pipeline to complete.- Refresh the page after the pipeline completes, then observe the new "Security Findings" widget displaying new vulnerabilities committed to the feature branch.
- Note 1: The Security Findings widget in the MR is a GitLab Ultimate feature. With GitLab Premium, Merge Requests that have run security scans will indicate that the generated JSON report artifacts are available to download and process externally.
- Note 2: Under typical circumstances, a developer would mitigate the vulnerabilities in a feature branch before committing the changes to a main branch. We will not be doing that in this demo.
- Refresh the page after the pipeline completes, then observe the new "Security Findings" widget displaying new vulnerabilities committed to the feature branch.
-
7. Navigate back to the latest pipeline for the 6-security-analyzers
and click the "play" button to manually trigger thepages
job.- After the job completes, navigate in the left side menu to
Deploy
->Pages
, then click the url under "Access pages" to view the parsed security results for the SAST and Secret Detection analyzers.
- After the job completes, navigate in the left side menu to
-
8. Within the Merge Request, click Mark as Ready
in the Overview tab (if prompted), then clickMerge
. -
9. After the pipeline for the merge into the main
branch completes, navigate to the latest pipeline details (Pipelines
-> latest pipeline formain
) and manually trigger thedeploy
job by clicking the play button.- This job doesn't actually deploy anything, but is used to demonstrate a potential deployment pipeline.
-
10. Navigate to Secure
->Dependency List
to view key details for the project's dependencies, as well as known vulnerabilities for the dependencies. -
11. Next, click Secure
->Vulnerability Report
to see the list of security findings that have been detected detected in the main branch (there should be findings for Secret Detection, SAST, and Dependency Scanning).- For larger projects with many known vulnerabilities that may be been dismissed for various reasons (false positives, low severity, etc) rather than mitigated, the Vulnerability Report on the
main
branch is cross referenced with security analyzer results run on feature branches so that only newly detected vulnerabilities are included in the Security Findings widget of the feature branch Merge Request.
- For larger projects with many known vulnerabilities that may be been dismissed for various reasons (false positives, low severity, etc) rather than mitigated, the Vulnerability Report on the