DevSecOps Tutorial : How to implement Git-Secret Scanner in CI/CD Pipeline

DevSecOps Tutorial : How to implement Git-Secret Scanner in CI/CD Pipeline

Introduction

I will brief the step by step how we can implement Static Analysis Security Test (SAST) in your CI/CD pipeline. Before we can proceed with the nitty-gritty of of the CI/CD pipeline steps, below is the pre-requisite of this tutorial:

Requirements:

CI Tool: An account of SaaS GitLab/GitLab on-premises and GitLab Runner. Your GitLab Runner must be docker-executor enable, you may setup it via this link.

Project / Source Code: We will use free/open-source django project via https://github.com/secfigo/django.nv.git


Git-Secret Tool

In this tutorial we will implement SAST tool called Trufflehog, it's a git-secret SAST tool which searching deep into commit history and branches. This is effective at finding secrets accidentally committed.

Step 0 : Setup a GitLab Account and GitLab Runner

If you don't have GitLab account yet, please refer this URL to setup it 1st, because below steps actually after you go setup your GitLab.

Step 1: GitLab Repo setup & Clone django-nv source code

Once we clone the repo(as shared above and create new project in our GitLab), we need to update yml file below;

gitlab

Step 2: Update your .gitlab-ci.yml file

```
stages:
 - build
 - test
 - integration
 - prod

build:
  stage: build
  script:
    - echo "This is a build step"
    - echo "some tool output" > output.txt
  artifacts:
    paths: [output.txt]

sast-bandit:
  stage: build
  script:
   - docker pull secfigo/bandit
   - docker run --user $(id -u):$(id -g) -v $(pwd):/src --rm secfigo/bandit bandit -r /src -f json -o /src/bandit-output.json
  artifacts:
    paths: [bandit-output.json]
    # when: on_failure
    when: always
  allow_failure: true

sast-trufflehog:
   stage: build
   script:
    - docker pull secfigo/trufflehog
    - docker run --user $(id -u):$(id -g) -v $(pwd):/src --rm secfigo/trufflehog trufflehog file:///src
   allow_failure: true

oast-safety:
  stage: test
  script:
    - docker pull hysnsec/safety
    - docker run -v $(pwd):/src --rm hysnsec/safety safety check -r requirements.txt --json > oast-results.json
  artifacts:
    paths: [oast-results.json]
    when: always
  allow_failure: true

integration:
  stage: integration
  script:
    - echo "This is an integration step"
    - exit 1
  allow_failure: true # Even if the job fails, continue to the next stages

prod:
  stage: prod
  script:
    - echo "This is a deploy step"
  when: manual # Continuous Delivery
  ```

Step 3: Commit YML file and Run the CI/CD Pipeline

Once, we done editing our .gitlab-ci.yml file, we need to click "commit" button below to auto-deploy or run our git-secret test in CI/CD pipeline

commit-button

Step 4: Run CI/CD Pipeline and See git-secret scanner result. We can see our CI/CD pipeline running in pipeline page;

trufflehog-cicd

Step 5: See Git-Secret Trufflehog Scanner Result ; to see our git-secret scanner result, we can click on sast-truffleog job and see our git-secret scanner result. The Trufflehog scanner shown result your CI/CD pipeline as blow;

trufflehog-cicd-report

As we see above, there is password leaked in file name user.json in our repository, it also give Reason why its risk and which Branch is affected.

Recap

We accomplished setup our Git-Secret Trufflehog in CI/CD pipeline. So far we had done below;

  1. We had setup and clone django-nv source code in GitLab.
  2. We updated .gitlab-ci.yml file with Docker Trufflehog SAST tool for git-secret scanner.
  3. We successfully found the leaked password in our code from sast-trufflehog jobs scanning.
  4. We have git-secret report in CI/CD pipeline log as our git-secret report for improve plan in our codes.

Next you should read

Dynamic Analysis Security Test (DAST).

Tutorial -> How to implement DAST in CI/CD Pipeline.


Share Tweet Send
0 Comments
Loading...