13 KiB
13 KiB
GitLab Security Features Reference
Overview
GitLab provides comprehensive security scanning and vulnerability management built into the CI/CD pipeline.
Security Scanning Types
1. SAST (Static Application Security Testing)
Analyzes source code for security vulnerabilities.
.gitlab-ci.yml:
include:
- template: Security/SAST.gitlab-ci.yml
variables:
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
Supported languages:
- JavaScript/TypeScript
- Python
- Ruby
- Java
- C/C++
- Go
- PHP
- C#/.NET
- Scala
- And more...
Custom configuration:
sast:
variables:
SEARCH_MAX_DEPTH: 20
SAST_ANALYZER_IMAGE_TAG: "latest"
SAST_DISABLE_BABEL: "true"
2. DAST (Dynamic Application Security Testing)
Tests running applications for vulnerabilities.
include:
- template: Security/DAST.gitlab-ci.yml
variables:
DAST_WEBSITE: https://example.com
DAST_AUTH_URL: https://example.com/login
DAST_USERNAME: testuser
DAST_PASSWORD: $DAST_PASSWORD
DAST_FULL_SCAN_ENABLED: "true"
DAST Configuration:
dast:
stage: test
variables:
DAST_API_SPECIFICATION: openapi.json
DAST_API_HOST_OVERRIDE: https://api.example.com
dast_configuration:
site_profile: "Production Site"
scanner_profile: "Full Scan"
Browser-based DAST:
include:
- template: DAST-On-Demand-Scan.gitlab-ci.yml
dast:
variables:
DAST_BROWSER_SCAN: "true"
DAST_TARGET_AVAILABILITY_TIMEOUT: 120
3. Dependency Scanning
Checks dependencies for known vulnerabilities.
include:
- template: Security/Dependency-Scanning.gitlab-ci.yml
variables:
DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
DS_JAVA_VERSION: 11
Supported package managers:
- npm/yarn (JavaScript)
- pip/pipenv (Python)
- bundler (Ruby)
- Maven/Gradle (Java)
- Go modules
- Composer (PHP)
- NuGet (.NET)
- CocoaPods (iOS)
Custom analyzer:
dependency_scanning:
variables:
DS_ANALYZER_IMAGE: "registry.gitlab.com/security-products/gemnasium:latest"
DS_ANALYZER_IMAGE_TAG: "2"
4. Container Scanning
Scans Docker images for vulnerabilities.
include:
- template: Security/Container-Scanning.gitlab-ci.yml
variables:
CS_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
CS_DOCKERFILE_PATH: Dockerfile
Scan custom registry:
container_scanning:
variables:
CS_REGISTRY_USER: $CI_REGISTRY_USER
CS_REGISTRY_PASSWORD: $CI_REGISTRY_PASSWORD
CS_IMAGE: registry.example.com/image:tag
5. Secret Detection
Prevents committing secrets to repository.
include:
- template: Security/Secret-Detection.gitlab-ci.yml
variables:
SECRET_DETECTION_EXCLUDED_PATHS: "tests/, spec/"
Detected secrets:
- AWS credentials
- API keys
- OAuth tokens
- Private keys
- Passwords
- Database credentials
- And more...
Custom rules:
secret_detection:
variables:
SECRET_DETECTION_HISTORIC_SCAN: "true"
SECRET_DETECTION_LOG_OPTIONS: "--all --full-history"
6. License Compliance
Identifies licenses in dependencies.
include:
- template: Security/License-Scanning.gitlab-ci.yml
license_scanning:
variables:
LICENSE_FINDER_CLI_OPTS: '--aggregate-paths=. --decisions-file=.license_decisions.yml'
License policies:
# .license_decisions.yml
allowed:
- MIT
- Apache-2.0
- BSD-3-Clause
denied:
- GPL-2.0
- GPL-3.0
7. Coverage-Guided Fuzz Testing
Tests application with random inputs.
include:
- template: Security/Coverage-Fuzzing.gitlab-ci.yml
my-fuzz-target:
extends: .fuzz_base
script:
- ./gitlab-cov-fuzz run -- ./fuzz-target
8. API Security Testing
Tests API endpoints for vulnerabilities.
include:
- template: Security/API-Security.gitlab-ci.yml
variables:
DAST_API_SPECIFICATION: openapi.json
DAST_API_TARGET_URL: https://api.example.com
Security Dashboard
Project Security Dashboard
View vulnerabilities at project level:
- Critical, High, Medium, Low severities
- Vulnerability trends
- Status (Detected, Confirmed, Dismissed, Resolved)
- Fix recommendations
Group Security Dashboard
Aggregate view across projects (Ultimate):
- Cross-project vulnerabilities
- Priority vulnerabilities
- Compliance status
- Export capabilities
Vulnerability Management
Create vulnerability:
curl --request POST --header "PRIVATE-TOKEN: <token>" \
"https://gitlab.com/api/v4/projects/:id/vulnerabilities" \
--data "title=SQL Injection" \
--data "severity=critical" \
--data "state=detected" \
--data "description=Details..."
Update vulnerability:
curl --request PATCH --header "PRIVATE-TOKEN: <token>" \
"https://gitlab.com/api/v4/vulnerabilities/:id" \
--data "state=confirmed"
States:
detected: Newly detectedconfirmed: Verified as realdismissed: False positive/accepted riskresolved: Fixed
Security Policies
Scan Execution Policies
Enforce security scans on projects:
# .gitlab/security-policies/policy.yml
scan_execution_policy:
- name: Enforce SAST and Dependency Scanning
description: Run security scans on all branches
enabled: true
rules:
- type: pipeline
branches:
- main
- develop
- release/*
actions:
- scan: sast
- scan: dependency_scanning
- scan: secret_detection
Scan Result Policies
Control merge based on scan results:
scan_result_policy:
- name: Block merge on critical vulnerabilities
description: Prevent merging if critical vulnerabilities found
enabled: true
rules:
- type: scan_finding
branches:
- main
scanners:
- sast
- dependency_scanning
severity_levels:
- critical
vulnerability_states:
- newly_detected
actions:
- type: require_approval
approvals_required: 2
role_approvers:
- security
Vulnerability Reports
Generate Reports
Security scanners generate JSON reports:
sast:
artifacts:
reports:
sast: gl-sast-report.json
dependency_scanning:
artifacts:
reports:
dependency_scanning: gl-dependency-scanning-report.json
container_scanning:
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
Report Format
{
"version": "15.0.0",
"vulnerabilities": [
{
"id": "...",
"category": "sast",
"name": "SQL Injection",
"message": "Potential SQL injection",
"description": "...",
"cve": "CVE-2021-12345",
"severity": "Critical",
"confidence": "High",
"scanner": {
"id": "semgrep",
"name": "Semgrep"
},
"location": {
"file": "app/controllers/users_controller.rb",
"start_line": 42,
"end_line": 45
},
"identifiers": [
{
"type": "cwe",
"name": "CWE-89",
"value": "89",
"url": "https://cwe.mitre.org/data/definitions/89.html"
}
],
"links": [
{
"url": "https://owasp.org/www-community/attacks/SQL_Injection"
}
],
"solution": "Use parameterized queries"
}
],
"remediations": [],
"dependency_files": []
}
Compliance Features
Compliance Framework
Define compliance requirements (Ultimate):
compliance_framework:
name: "SOC 2"
description: "SOC 2 compliance requirements"
color: "#1aaa55"
default: false
pipeline_configuration_full_path: ".gitlab/compliance/soc2.yml"
Compliance Pipeline
# .gitlab/compliance/soc2.yml
include:
- template: Security/SAST.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/License-Scanning.gitlab-ci.yml
compliance_audit:
stage: test
script:
- audit-compliance.sh
rules:
- if: $CI_COMMIT_BRANCH == "main"
Audit Events
Track security-related activities:
# Get audit events
curl --header "PRIVATE-TOKEN: <token>" \
"https://gitlab.com/api/v4/projects/:id/audit_events"
# Group audit events
curl --header "PRIVATE-TOKEN: <token>" \
"https://gitlab.com/api/v4/groups/:id/audit_events"
Tracked events:
- Member additions/removals
- Permission changes
- Protected branch changes
- Security scan results
- Compliance violations
- And more...
Security Best Practices
1. Enable All Scanners
include:
- template: Security/SAST.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
- template: Security/Container-Scanning.gitlab-ci.yml
- template: Security/License-Scanning.gitlab-ci.yml
2. Block Merges on Critical Issues
Configure merge request approvals:
- Require approval from security team
- Block merges with critical vulnerabilities
- Require all security checks to pass
3. Regular Dependency Updates
dependency_update:
stage: maintain
script:
- bundle update
- npm update
rules:
- if: $CI_PIPELINE_SOURCE == "schedule"
only:
variables:
- $DEPENDENCY_UPDATE == "true"
4. Secret Management
Use CI/CD variables for secrets:
- Mark as protected
- Mark as masked
- Limit scope to specific environments
- Rotate regularly
# Add protected variable
curl --request POST --header "PRIVATE-TOKEN: <token>" \
"https://gitlab.com/api/v4/projects/:id/variables" \
--data "key=SECRET_KEY" \
--data "value=secret_value" \
--data "protected=true" \
--data "masked=true" \
--data "environment_scope=production"
5. Two-Factor Authentication
Enforce 2FA for all users:
- Group settings > General > Permissions
- Require 2FA for all group members
- Set grace period for enablement
6. IP Allowlisting
Restrict access by IP (Premium/Ultimate):
curl --request PUT --header "PRIVATE-TOKEN: <token>" \
"https://gitlab.com/api/v4/groups/:id" \
--data "ip_restriction_ranges[]=192.168.1.0/24" \
--data "ip_restriction_ranges[]=10.0.0.0/8"
7. Security Training
GitLab provides security training:
- Secure coding practices
- OWASP Top 10
- Security testing
- Vulnerability remediation
Security Integrations
SIEM Integration
Export audit logs to SIEM:
Splunk:
# .gitlab-ci.yml
export_to_splunk:
script:
- curl -k https://splunk.example.com:8088/services/collector \
-H "Authorization: Splunk $SPLUNK_TOKEN" \
-d '{"event": $AUDIT_DATA}'
ELK Stack:
export_to_elk:
script:
- |
curl -X POST "https://elasticsearch.example.com:9200/gitlab-audit/_doc" \
-H "Content-Type: application/json" \
-d "$AUDIT_DATA"
Vulnerability Management Tools
Integrate with external tools:
- Jira for vulnerability tracking
- ServiceNow for incident management
- PagerDuty for security alerts
Security API
List Vulnerabilities
curl --header "PRIVATE-TOKEN: <token>" \
"https://gitlab.com/api/v4/vulnerabilities?project_id=:id&severity=critical"
Dismiss Vulnerability
curl --request POST --header "PRIVATE-TOKEN: <token>" \
"https://gitlab.com/api/v4/vulnerabilities/:id/dismiss" \
--data "dismissal_reason=acceptable_risk" \
--data "comment=Risk accepted by security team"
Resolve Vulnerability
curl --request POST --header "PRIVATE-TOKEN: <token>" \
"https://gitlab.com/api/v4/vulnerabilities/:id/resolve"
Security Hardening
Runner Security
[[runners]]
[runners.docker]
privileged = false
disable_cache = false
volumes = ["/cache"]
# Security settings
security_opt = ["no-new-privileges"]
cap_drop = ["ALL"]
cap_add = ["NET_BIND_SERVICE"]
Registry Security
registry:
storage_delete:
enabled: true
validation:
manifests:
urls:
allow:
- ^https://registry\.gitlab\.com/
Git Security
# /etc/gitlab/gitlab.rb
gitlab_rails['allowed_hosts'] = ['gitlab.example.com']
gitlab_rails['gitlab_shell_ssh_port'] = 2222
gitlab_rails['gitlab_shell_git_timeout'] = 800
Incident Response
Security Incident Template
# Security Incident: [TITLE]
## Severity
- [ ] Critical
- [ ] High
- [ ] Medium
- [ ] Low
## Detection
- Date/Time:
- Method:
- Reporter:
## Description
[Detailed description]
## Impact
[Affected systems/data]
## Response Actions
- [ ] Contain threat
- [ ] Assess damage
- [ ] Notify stakeholders
- [ ] Remediate vulnerability
- [ ] Document lessons learned
## Timeline
| Time | Action |
|------|--------|
| | |
## Root Cause
## Remediation
## Prevention
Additional Resources
- Security Documentation: https://docs.gitlab.com/ee/user/application_security/
- Security Scanners: https://docs.gitlab.com/ee/user/application_security/security_scanner_integration/
- Vulnerability Management: https://docs.gitlab.com/ee/user/application_security/vulnerabilities/
- Compliance: https://docs.gitlab.com/ee/administration/compliance.html