Update Security Products examples documentation

This commit is contained in:
Olivier Gonzalez 2018-04-03 19:19:00 +00:00 committed by Marcia Ramos
parent 59a158955e
commit a086945275
3 changed files with 30 additions and 6 deletions

View file

@ -9,11 +9,12 @@ Once you set up the Runner, add a new job to `.gitlab-ci.yml`, called `codequali
```yaml ```yaml
codequality: codequality:
image: docker:latest image: docker:stable
variables: variables:
DOCKER_DRIVER: overlay DOCKER_DRIVER: overlay2
allow_failure: true
services: services:
- docker:dind - docker:stable-dind
script: script:
- export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/') - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
- docker run --env SOURCE_CODE="$PWD" --volume "$PWD":/code --volume /var/run/docker.sock:/var/run/docker.sock "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code - docker run --env SOURCE_CODE="$PWD" --volume "$PWD":/code --volume /var/run/docker.sock:/var/run/docker.sock "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code

View file

@ -11,7 +11,7 @@ called `sast:container`:
```yaml ```yaml
sast:container: sast:container:
image: docker:latest image: docker:stable
variables: variables:
DOCKER_DRIVER: overlay2 DOCKER_DRIVER: overlay2
## Define two new variables based on GitLab's CI/CD predefined variables ## Define two new variables based on GitLab's CI/CD predefined variables
@ -20,7 +20,7 @@ sast:container:
CI_APPLICATION_TAG: $CI_COMMIT_SHA CI_APPLICATION_TAG: $CI_COMMIT_SHA
allow_failure: true allow_failure: true
services: services:
- docker:dind - docker:stable-dind
script: script:
- docker run -d --name db arminc/clair-db:latest - docker run -d --name db arminc/clair-db:latest
- docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1 - docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1

View file

@ -14,9 +14,10 @@ called `dast`:
```yaml ```yaml
dast: dast:
image: owasp/zap2docker-stable image: registry.gitlab.com/gitlab-org/security-products/zaproxy
variables: variables:
website: "https://example.com" website: "https://example.com"
allow_failure: true
script: script:
- mkdir /zap/wrk/ - mkdir /zap/wrk/
- /zap/zap-baseline.py -J gl-dast-report.json -t $website || true - /zap/zap-baseline.py -J gl-dast-report.json -t $website || true
@ -30,6 +31,28 @@ the tests on the URL defined in the `website` variable (change it to use your
own) and finally write the results in the `gl-dast-report.json` file. You can own) and finally write the results in the `gl-dast-report.json` file. You can
then download and analyze the report artifact in JSON format. then download and analyze the report artifact in JSON format.
It's also possible to authenticate the user before performing DAST checks:
```yaml
dast:
image: registry.gitlab.com/gitlab-org/security-products/zaproxy
variables:
website: "https://example.com"
login_url: "https://example.com/sign-in"
allow_failure: true
script:
- mkdir /zap/wrk/
- /zap/zap-baseline.py -J gl-dast-report.json -t $website \
--auth-url $login_url \
--auth-username "john.doe@example.com" \
--auth-password "john-doe-password" || true
- cp /zap/wrk/gl-dast-report.json .
artifacts:
paths: [gl-dast-report.json]
```
See [zaproxy documentation](https://gitlab.com/gitlab-org/security-products/zaproxy)
to learn more about authentication settings.
TIP: **Tip:** TIP: **Tip:**
Starting with [GitLab Ultimate][ee] 10.4, this information will Starting with [GitLab Ultimate][ee] 10.4, this information will
be automatically extracted and shown right in the merge request widget. To do be automatically extracted and shown right in the merge request widget. To do