As a later post will show, I've been using gitlab pipelines to validate some of my code for me. As a security conscious person, I've been interested in building security in to pipelines. Not to give too much of my later post away, but using terraform with gitlab has been a bit of a learning curve.
By this stage, I had already followed the documentation on setting up a runner in docker. My runners are all on linux, and you should check that the code that you want to run (including these extra checks) will run on your architecture.
Gitlab promises to easy to use security check, straight from the pipeline. While they are, I had a few issues with getting started with them. The first issue I had was that the stage was unavailable. I had overridden the default stages to specify my own. The tests that I wished to run, secrets detection and SAST for IaC both want to run in the test stage, which was no longer defined.
Initially, I started by adding each of them to the .gitlab-ci.yml file like so:
include: - template: Terraform/Base.gitlab-ci.yml - template: Security/SAST-IaC.gitlab-ci.yml #- template: Jobs/Secret-Detection.gitlab-ci.yml
At this stage, only the SAST template was active, as I wanted to get it all correct before progressing. I should also point out that I made sure that the base config was all working before adding the extra include. The first error message I saw was:
After a bit of googling and checking the full configuration, I determined that a new job "iac-sast" had been added to my configuration (amongst others). In order to change the stage that this included job ran in, I added the following to my .gitlab-ci.yml file:
iac-sast: stage: validate # and for secrets detection secret_detection: stage: validate
The validators then passed. Running the pipelines did show a few other errors, and I ended up overridding the default before_script that I had set up before hand. Once done though, it was plain sailing.
Another tool I wanted to add to my pipeline was dependency-check from OWASP. I am an OWASP member and love trying out the projects from time to time. Although for my case, dependency-check doesn't actually seem to work - Terraform doesn't have security issues with older modules perhaps? - I did get the program working and running.
First off, make sure you have enough RAM to run your runner. My docker instance only had 2GB of RAM and a 2GB swap file which it easily exhausted. My project isn't very big either.
In order to set up dependency-check, I added the following to my .gitlab-ci.yml file:
# While the following works as a validate check, # OWASP dependency-check doesn't support terraform. dependencycheck: stage: validate image: name: owasp/dependency-check entrypoint: [""] before_script: # - override jobs if required script: - /usr/share/dependency-check/bin/dependency-check.sh --project Test --out . --scan . --enableExperimental --failOnCVSS 7
The last free security check that gitlab supports is conatiner scanning. As I am only using an image or 2 in this project to do specific jobs for the pipeline, I haven't felt the need to deploy this in anger yet. Maybe once I get my kubernetes cluster back up and running....