I will brief the step by step how we can implement Static Analysis Security Test (SAST) in your CI/CD pipeline. Before we can proceed with the nitty-gritty of of the CI/CD pipeline steps, below is the pre-requisite of this tutorial:
CI Tool: An account of SaaS GitLab/GitLab on-premises and GitLab Runner. Your GitLab Runner must be docker-executor enable, you may setup it via this link.
Project / Source Code: We will use free/open-source django project via https://github.com/secfigo/django.nv.git
In this tutorial we will implement SAST tool called Trufflehog, it's a git-secret SAST tool which searching deep into commit history and branches. This is effective at finding secrets accidentally committed.
Step 0 : Setup a GitLab Account and GitLab Runner
If you don't have GitLab account yet, please refer this URL to setup it 1st, because below steps actually after you go setup your GitLab.
Step 1: GitLab Repo setup & Clone django-nv source code
Once we clone the repo(as shared above and create new project in our GitLab), we need to update yml file below;
Step 2: Update your .gitlab-ci.yml file
``` stages: - build - test - integration - prod build: stage: build script: - echo "This is a build step" - echo "some tool output" > output.txt artifacts: paths: [output.txt] sast-bandit: stage: build script: - docker pull secfigo/bandit - docker run --user $(id -u):$(id -g) -v $(pwd):/src --rm secfigo/bandit bandit -r /src -f json -o /src/bandit-output.json artifacts: paths: [bandit-output.json] # when: on_failure when: always allow_failure: true sast-trufflehog: stage: build script: - docker pull secfigo/trufflehog - docker run --user $(id -u):$(id -g) -v $(pwd):/src --rm secfigo/trufflehog trufflehog file:///src allow_failure: true oast-safety: stage: test script: - docker pull hysnsec/safety - docker run -v $(pwd):/src --rm hysnsec/safety safety check -r requirements.txt --json > oast-results.json artifacts: paths: [oast-results.json] when: always allow_failure: true integration: stage: integration script: - echo "This is an integration step" - exit 1 allow_failure: true # Even if the job fails, continue to the next stages prod: stage: prod script: - echo "This is a deploy step" when: manual # Continuous Delivery ```
Step 3: Commit YML file and Run the CI/CD Pipeline
Once, we done editing our .gitlab-ci.yml file, we need to click "commit" button below to auto-deploy or run our git-secret test in CI/CD pipeline
Step 4: Run CI/CD Pipeline and See git-secret scanner result. We can see our CI/CD pipeline running in pipeline page;
Step 5: See Git-Secret Trufflehog Scanner Result ; to see our git-secret scanner result, we can click on sast-truffleog job and see our git-secret scanner result. The Trufflehog scanner shown result your CI/CD pipeline as blow;
As we see above, there is password leaked in file name user.json in our repository, it also give Reason why its risk and which Branch is affected.
We accomplished setup our Git-Secret Trufflehog in CI/CD pipeline. So far we had done below;
- We had setup and clone django-nv source code in GitLab.
- We updated .gitlab-ci.yml file with Docker Trufflehog SAST tool for git-secret scanner.
- We successfully found the leaked password in our code from sast-trufflehog jobs scanning.
- We have git-secret report in CI/CD pipeline log as our git-secret report for improve plan in our codes.