Links
📥

Install

Setup

There are two ways to set up Security Pipeline. One is to use it without cloning, and the other is to use it within your corporate GitLab.

Pipelines usage without clonning

  1. 1.
    Set the following environment variables in the GitLab group where your repositories are located:
    • SEC_PORTAL_KEY: This is the authentication API token for the AppSec Portal. You can find it on the Personal Info page (requires authorization, see this page for more information).
    • SEC_DD_KEY and SEC_DD_URL: These are used if you want to integrate with DefectDojo. You can get the token from your DefectDojo instance.
    • SEC_MOBILE_MOBSF_URL: This is used if you want to use an external MobSF (Mobile Security Framework).
  2. 2.
    Once you have set up these variables, you can trigger the pipelines.

Pipelines usage in corporate GitLab

Setup

  1. 1.
    Create a shared group in your corporate GitLab.
  2. 2.
    Create a project in the shared group.
  3. 3.
    Push the project content to your project.
  4. 4.
    Edit the common/variables.yml file with the proper URLs in SEC_DD_URL and SEC_MOBILE_MOBSF_URL (if you want to use an external MobSF).
  5. 5.
    Edit the SEC_PATH_TO_IMAGES variable in common/variables.yml (this variable should point to the project path to the security images project).
  6. 6.
    Add the same value to the pipelines.yml file to set the .image include directive properly. We will remove this step later. (image: $CI_REGISTRY/whitespots-public/security-images/toolset:latest)
  7. 7.
    Set the following environment variables in the GitLab group where your repositories are located:
    • SEC_PORTAL_KEY: This is the authentication API token for the AppSec Portal. You can find it on the Personal Info page (requires authorization, see this page for more information).
    • SEC_DD_KEY: used for DefectDojo integration. You can get the token from your DefectDojo instance.

Adding new scanners

  1. 1.
    Put scanner version in common/variables.yml (pipelines repo).
  2. 2.
    Add the Dockerfile to the folder in the security-images repo.
  3. 3.
    Add the job to the gitlab-ci.yml file (isecurity-images repo).
  4. 4.
    Add the job with the scan script in the common folder (pipelines repo).
  5. 5.
    Configure the default variables in common/variables.yml (pipelines repo).
  6. 6.
    Test the new scanner.

Integration

You can integrate the Security Pipeline with your CI/CD pipeline in two ways: triggering pipelines without passing any parameters and triggering pipelines with specific parameters.

Triggering Pipelines Without Passing Any Parameters

This example of .gitlab-ci.yml settings will detect all languages/technologies automatically and run checks without parameters.
stages:
# after build stage
- security
​
security:
stage: security
allow_failure: true
trigger:
include:
# Path to the shared repo
- project: 'whitespots-public/pipelines'
# a proper branch name
ref: 'main'
file: 'pipelines.yml'

Triggering Pipelines With Specific Parameters

This is a detailed integration example of .gitlab-ci.yml.
stages:
# after build stage
- security
​
security:
stage: security
allow_failure: true
trigger:
include:
# Path to the shared repo
- project: 'whitespots-public/pipelines'
# a proper branch name
ref: 'main'
file: 'pipelines.yml'
variables:
​
# Secrets settings
SEC_SECRETS_SCAN_ENABLE: "true"
​
# SAST settings
SEC_SAST_ENABLE: "true"
SEC_GREP: "true"
SEC_SEMGREP_CONFIG: "p/ci"
SEC_PYTHON: "true"
SEC_RUBY: "false"
SEC_PHP: "false"
SEC_JS: "true"
SEC_GOLANG: "false"
# Dependency check settings
SEC_IMAGE_SCAN_ENABLE: "true"
SEC_IMAGE_TO_SCAN_NAME: ${CI_REGISTRY_IMAGE}
SEC_IMAGE_TO_SCAN_TAG: ${CI_COMMIT_REF_NAME}
SEC_IMAGE_REGISTRY_URL: ${CI_REGISTRY}
SEC_IMAGE_REGISTRY_USER: ${CI_REGISTRY_USER}
SEC_IMAGE_REGISTRY_PASS: ${CI_REGISTRY_PASSWORD}
​
# DAST settings
SEC_DAST_ENABLE: "true"
SEC_DAST_URL_TO_SCAN: "https://example.com"
​
# Mobile settings
SEC_MOBILE_ENABLE: "false"
SEC_MOBILE_APK_PATH: "./apk/diva-beta.apk"
SEC_MOBILE_SCAN_TYPE: "apk|ios"
SEC_CHECKKARLMARX_DOMAIN: 'mycompany.com'
SEC_CHECKKARLMARX_QA_TAGS: 'qa test dev stage'
SEC_CHECKKARLMARX_PACKAGES: 'com.mycompany com.example'
​
# Infrastructure scanners
SEC_INFRA_ENABLE: "false"
SEC_INFRA_DOMAIN: "exxxxample.com"
​
# SAST (csharp) settings
SEC_SONARQUBE_ENABLE: "false"
SEC_SONARQUBE_URL: "https://sonarqube-test.whitespots.io"
SEC_SONARQUBE_PROJECT_KEY: "test-app"
SEC_SONARQUBE_SOURCES: "/usr/src"
SEC_SONARQUBE_TOKEN: "token"
SEC_SONARQUBE_PATH_TO_SLN: "token" # <- put in CI/CD variables for security reasons

Integration Examples

There are several integration examples provided in the repository, each containing a .gitlab-ci.yml file where you can see how to integrate the security checks into your pipelines. Here are a few examples:

Detailed video tutorial from our team

If you have any issues during installation or have any questions about using our pipelines, don't hesitate to reach out to our support team [email protected]
❤
.