From 19df9c7e6e026700fd76a02b3c7db8deddeee633 Mon Sep 17 00:00:00 2001 From: Achilleas Pipinellis Date: Fri, 12 Jan 2018 15:25:50 +0100 Subject: [PATCH] Port the SAST DAST doc examples from EE to CE --- doc/ci/examples/README.md | 13 ++++++++ doc/ci/examples/dast.md | 35 ++++++++++++++++++++++ doc/ci/examples/sast_docker.md | 55 ++++++++++++++++++++++++++++++++++ 3 files changed, 103 insertions(+) create mode 100644 doc/ci/examples/dast.md create mode 100644 doc/ci/examples/sast_docker.md diff --git a/doc/ci/examples/README.md b/doc/ci/examples/README.md index b53bd79f39e..0109e77935a 100644 --- a/doc/ci/examples/README.md +++ b/doc/ci/examples/README.md @@ -41,6 +41,19 @@ There's also a collection of repositories with [example projects](https://gitlab [Analyze code quality with the Code Climate CLI](code_climate.md). +### Static Application Security Testing (SAST) + +- **(EEU)** [Scan your code for vulnerabilities](https://docs.gitlab.com/ee/ci/examples/sast.html) +- [Scan your Docker images for vulnerabilities](sast_docker.md) + +### Dynamic Application Security Testing (DAST) + +Scan your app for vulnerabilities with GitLab [Dynamic Application Security Testing (DAST)](dast.md). + +### Browser Performance Testing with Sitespeed.io + +Analyze your [browser performance with Sitespeed.io](browser_performance.md). + ### GitLab CI/CD for Review Apps - [Example project](https://gitlab.com/gitlab-examples/review-apps-nginx/) that shows how to use GitLab CI/CD for [Review Apps](../review_apps/index.html). diff --git a/doc/ci/examples/dast.md b/doc/ci/examples/dast.md new file mode 100644 index 00000000000..16ff8d5bb3e --- /dev/null +++ b/doc/ci/examples/dast.md @@ -0,0 +1,35 @@ +# Dynamic Application Security Testing with GitLab CI/CD + +This example shows how to run +[Dynamic Application Security Testing (DAST)](https://en.wikipedia.org/wiki/Dynamic_program_analysis) +on your project's source code by using GitLab CI/CD. + +DAST is using the popular open source tool +[OWASP ZAProxy](https://github.com/zaproxy/zaproxy) to perform an analysis. + +All you need is a GitLab Runner with the Docker executor (the shared Runners on +GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`, +called `dast`: + +```yaml +dast: + image: owasp/zap2docker-stable + script: + - mkdir /zap/wrk/ + - /zap/zap-baseline.py -J gl-dast-report.json -t https://example.com || true + - cp /zap/wrk/gl-dast-report.json . + artifacts: + paths: [gl-dast-report.json] +``` + +The above example will create a `dast` job in your CI pipeline and will allow +you to download and analyze the report artifact in JSON format. + +TIP: **Tip:** +Starting with [GitLab Enterprise Edition Ultimate][ee] 10.4, this information will +be automatically extracted and shown right in the merge request widget. To do +so, the CI job must be named `dast` and the artifact path must be +`gl-dast-report.json`. +[Learn more on dynamic application security testing results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html). + +[ee]: https://about.gitlab.com/gitlab-ee/ diff --git a/doc/ci/examples/sast_docker.md b/doc/ci/examples/sast_docker.md new file mode 100644 index 00000000000..d99cfe93afa --- /dev/null +++ b/doc/ci/examples/sast_docker.md @@ -0,0 +1,55 @@ +# Static Application Security Testing for Docker containers with GitLab CI/CD + +You can check your Docker images (or more precisely the containers) for known +vulnerabilities by using [Clair](https://github.com/coreos/clair) and +[clair-scanner](https://github.com/arminc/clair-scanner), two open source tools +for Vulnerability Static Analysis for containers. + +All you need is a GitLab Runner with the Docker executor (the shared Runners on +GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`, +called `sast:container`: + +```yaml +sast:container: + image: docker:latest + variables: + DOCKER_DRIVER: overlay2 + ## Define two new variables based on GitLab's CI/CD predefined variables + ## https://docs.gitlab.com/ee/ci/variables/#predefined-variables-environment-variables + CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG + CI_APPLICATION_TAG: $CI_COMMIT_SHA + allow_failure: true + services: + - docker:dind + script: + - docker run -d --name db arminc/clair-db:latest + - docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1 + - apk add -U wget ca-certificates + - docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} + - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 + - mv clair-scanner_linux_amd64 clair-scanner + - chmod +x clair-scanner + - touch clair-whitelist.yml + - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true + artifacts: + paths: [gl-sast-container-report.json] +``` + +The above example will create a `sast:container` job in your CI/CD pipeline, pull +the image from the [Container Registry](../../user/project/container_registry.md) +(whose name is defined from the two `CI_APPLICATION_` variables) and scan it +for possible vulnerabilities. The report will be saved as an artifact that you +can later download and analyze. + +If you want to whitelist some specific vulnerabilities, you can do so by defining +them in a [YAML file](https://github.com/arminc/clair-scanner/blob/master/README.md#example-whitelist-yaml-file), +in our case its named `clair-whitelist.yml`. + +TIP: **Tip:** +Starting with [GitLab Enterprise Edition Ultimate][ee] 10.4, this information will +be automatically extracted and shown right in the merge request widget. To do +so, the CI/CD job must be named `sast:container` and the artifact path must be +`gl-sast-container-report.json`. +[Learn more on application security testing results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/sast_docker.html). + +[ee]: https://about.gitlab.com/gitlab-ee/