Tuesday, February 6, 2024

Gitlab CICD SAST DAST : How to securing your codebase

Static Application Security Testing (SAST) is a crucial step in securing your codebase. In GitLab, you can use various tools like GitLab CI/CD and various SAST analyzers to achieve this. Here's a step-by-step guide for a beginner to set up SAST in GitLab:

Step 1: Create a GitLab Project

Create a new project in GitLab or use an existing one.

Step 2: Configure .gitlab-ci.yml

Create a .gitlab-ci.yml file in the root of your project. This file defines the CI/CD pipeline. Add the following configuration:

stages: - test variables: # Define the SAST_ANALYZER_IMAGE based on the SAST tool you choose SAST_ANALYZER_IMAGE: "your-sast-analyzer-image" sast: stage: test script: - echo "Running SAST scan" - docker run --rm -v $PWD:/code $SAST_ANALYZER_IMAGE /code only: - master # Run SAST only for the master branch (adjust as needed)


Replace "your-sast-analyzer-image" with the actual image name of your chosen SAST tool.

The choice of a specific SAST analyzer image depends on the programming language and framework used in your project. Here are a few examples for popular programming languages:

  1. Bandit for Python:

    • SAST Analyzer Image: bandit/bandit
    • Example .gitlab-ci.yml configuration
  2. variables: SAST_ANALYZER_IMAGE: "bandit/bandit"

Brakeman for Ruby on Rails:

  • SAST Analyzer Image: brakeman
  • Example .gitlab-ci.yml configuration:
variables:
  SAST_ANALYZER_IMAGE: "brakeman"

variables: SAST_ANALYZER_IMAGE: "brakeman"

SpotBugs for Java:

  • SAST Analyzer Image: spotbugs/spotbugs
  • Example .gitlab-ci.yml configuration:

variables: SAST_ANALYZER_IMAGE: "spotbugs/spotbugs"

ESLint for JavaScript (Node.js):

  • SAST Analyzer Image: node:latest (Node.js is often used for JavaScript static analysis tools like ESLint)
  • Example .gitlab-ci.yml configuration:

variables: SAST_ANALYZER_IMAGE: "node:latest"

Choose the SAST analyzer image based on your project's requirements. Always check the official documentation of the SAST tool for the latest and most suitable Docker image for your needs.

Remember to adjust the image name and version based on your project's specific requirements, and ensure that the chosen image is available on the Docker Hub or another container registry accessible to your GitLab runner.


Step 3: Choose a SAST Tool

Choose a SAST tool that integrates well with GitLab. Some popular options include:

Step 4: Example with Bandit (for Python)

Assuming you've chosen Bandit, you need to install it in your project. Add the following lines to your .gitlab-ci.yml file:

before_script: - pip install bandit sast: stage: test script: - echo "Running SAST scan" - bandit -r . only: - master

Here's a simple example of a Python script that contains a potential security issue, and you can use Bandit as a SAST tool to detect it:



# sample_script.py

import os

def insecure_function(user_input):
    os.system("rm -rf /")  # This is a potential security issue - arbitrary command execution

def main():
    user_input = input("Enter something: ")
    insecure_function(user_input)

if __name__ == "__main__":
    main()


This script takes user input and uses it in a potentially insecure way by directly executing a system command. It's essential to identify and fix such issues to enhance the security of your codebase.

Now, assuming you have Bandit installed locally, you can run the Bandit tool against this script using the following command:

bandit -r .

This command runs Bandit recursively (-r) on the current directory (.). Bandit will analyze the Python script and report any security issues it finds.

When integrating this into your GitLab pipeline, you can use the .gitlab-ci.yml configuration mentioned earlier. Make sure to install Bandit in your CI environment using a before_script or a dedicated job in the CI configuration.

Remember that this is just a basic example, and real-world security issues can be more complex. SAST tools like Bandit help automate the process of identifying potential vulnerabilities in your code. Always review the results and take appropriate actions to address any security concerns.


Step 5: Commit and Push

Commit your changes and push them to your GitLab repository. This will trigger the CI/CD pipeline.

Step 6: View Results in GitLab

After the pipeline completes, go to your project in GitLab, navigate to "CI / CD > Jobs", and check the output of the SAST job. GitLab will display the results, highlighting any security issues detected by the SAST tool.

Step 7: Set Up GitLab Security Dashboard (Optional)

GitLab provides a Security Dashboard where you can view the security status of your project. To set it up, navigate to "Security & Compliance > Security Dashboard" in your project settings.

Remember to adapt these steps based on your specific programming language, chosen SAST tool, and other project requirements. Always refer to the documentation of the chosen SAST tool for any additional configurations or considerations.

==================================

To execute a simple hello.py Python file on GitLab, you'll need to set up a CI/CD pipeline that runs the Python script as part of the pipeline. Here's a step-by-step guide:

  1. Create a GitLab Project:

    • Create a new project in GitLab or use an existing one.
  2. Write hello.py Script:

    • Write your hello.py Python script. For example:
# hello.py

def main():
    print("Hello, GitLab CI/CD!")

if __name__ == "__main__":
    main()


Add .gitlab-ci.yml File:
  • Create a .gitlab-ci.yml file in the root directory of your project. This file defines the CI/CD pipeline for your project. Here's a simple example to execute the hello.py script:

stages: - test hello: stage: test script: - python hello.py


  1. Commit and Push:

    • Commit the changes to your repository, including the hello.py file and the .gitlab-ci.yml file, and push them to GitLab. This will trigger the CI/CD pipeline.
  2. View Results:

    • After the pipeline completes, go to your project in GitLab, navigate to "CI/CD > Pipelines", and click on the pipeline to view the job's output. You should see "Hello, GitLab CI/CD!" printed as the output of the pipeline job.

By following these steps, you can execute a simple hello.py Python script on GitLab using CI/CD pipelines. This example demonstrates the basics of running Python scripts as part of your CI/CD workflow in GitLab.

Job failed

The error message "This job is stuck because the project doesn't have any runners online assigned to it" indicates that there are no GitLab Runners available to execute your CI/CD pipeline job. To fix this issue, you need to ensure that GitLab Runners are properly configured and registered to your GitLab project. Here's how you can fix it:

  1. Install and Configure GitLab Runner:

    • You need to install and configure GitLab Runner on a machine (e.g., a server, VM, or your local machine) that has access to your GitLab project. You can find instructions for installing and configuring GitLab Runner in the official documentation.
  2. Register GitLab Runner:

    • After installing GitLab Runner, you need to register it with your GitLab project. Run the following command on the machine where GitLab Runner is installed:
gitlab-runner register


    • Follow the prompts to configure GitLab Runner. When prompted for the GitLab instance URL and registration token, you can find these values in your GitLab project settings under "Settings > CI/CD > Runners".
  1. Enable Shared Runners (Optional):

    • If you're using GitLab.com or a GitLab instance with shared runners enabled, ensure that shared runners are enabled for your project. You can check and enable shared runners in your project settings under "Settings > CI/CD > Runners".
  2. Check Runner Status:

    • After registering the runner, ensure that it is online and available to pick up jobs. You can check the status of your runner in your GitLab project settings under "Settings > CI/CD > Runners". If the runner is online and available, it should be listed there.
  3. Ensure Runner Tags (Optional):

    • If you're using specific tags for your GitLab Runners, ensure that the runner configured for your project has the necessary tags. You can specify tags in your .gitlab-ci.yml file to ensure that jobs are picked up by runners with specific tags.
  4. Retry the Pipeline:

    • After ensuring that GitLab Runner is properly configured and available, retry your CI/CD pipeline. Push new changes to your repository, and GitLab should automatically trigger the pipeline execution.

By following these steps, you should be able to resolve the error and ensure that your CI/CD pipeline jobs are executed successfully with GitLab Runners. If you encounter any issues during the setup process, refer to the GitLab Runner documentation or reach out to GitLab support for assistance.