Setup CI/CD code analysis with SAST

gitlab | runner | ci/cd laravel | ci/cd react | sast

THIS IS AN ON-GOING DRAFT

Introduction

Requirements

install Docker CE on your runner

then grab images for the scanners you would like e.g. nodejsscan and phpcs

usermod -aG docker gitlab-runner
su - gitlab-runner

docker ps -a
docker pull opensecurity/nodejsscan:latest
docker pull alpine

^D

and register your runner with the docker executor

as root

gitlab-runner register

Repo enhancements

now clone the official repo and add the templates/ folder to yours

git clone https://gitlab.com/gitlab-org/gitlab.git
cp -a gitlab/templates/ validate-ci-cd/
rm -rf gitlab/

Setup

vi gitlab-ci.yml

stages:
- test
- deploy

sast:
  stage: test

include:
- template: Jobs/SAST.gitlab-ci.yml

Resources

Static Application Security Testing (SAST) https://docs.gitlab.com/ee/user/application_security/sast/

SAST analyzers https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html

tutorials

How to Setup DevSecOps Pipeline in GitLab https://www.magalix.com/docs/how-to-setup-devsecops-pipeline-in-gitlab

scanners

https://github.com/ajinabraham/NodeJsScan

https://github.com/FloeDesignTechnologies/phpcs-security-audit

https://github.com/zricethezav/gitleaks

custom ruleset

How to tailor SAST and Secret Detection to your application context with custom rulesets https://about.gitlab.com/blog/2021/12/21/rule-pack-synthesis/

notes

# You can override the included template(s) by including variable overrides
# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
# Note that environment variables can be set in several places
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence

https://docs.gitlab.com/ee/topics/autodevops/upgrading_auto_deploy_dependencies.html

https://gitlab.com/gitlab-org/gitlab/-/tree/master/lib/gitlab/ci/templates

https://docs.gitlab.com/ee/user/application_security/sast/

production:helm-2to3:migrate job: dependency build is not defined in current or prior stages https://docs.gitlab.com/ee/topics/autodevops/upgrading_auto_deploy_dependencies.html


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5
Copyright © 2022 Pierre-Philipp Braun