How to secure your dependencies with GitLab and WhiteSource

Aug 10, 2020 · 5 min read
Fernando Diaz GitLab profile

GitLab's WhiteSouce integration empowers developers to enhance application security directly within the GitLab UI. The integration provides dependency scanning with in-depth analysis, along with actionable insights, and auto-remediation. WhiteSource for GitLab enhances your team's productivity, security, and compliance.

Rhys Arkins, Product Director at WhiteSource, and I hosted a webinar on "Harnessing development to scale AppSec" showcasing the features of GitLab's WhiteSource integration for open source dependency scanning.

This blog post will guide you through setting up WhiteSource in your private GitLab instance and show you how the integration with WhiteSource enhances your application's security within GitLab.

Installing the WhiteSource integration

First, let's go over how to install the WhiteSource integration. In this section, I will review how to set up GitLab service credentials, generate a WhiteSource configuration, build WhiteSource containers, and how to run them in a Kubernetes cluster.

Requirements for WhiteSource integration

But first, the WhiteSource integration requires that you have the following setup:

Create GitLab service credentials

The next step is to create GitLab service credentials. This can be accomplished in three simple steps:

Generate the WhiteSource configuration

Next, we generate the WhiteSource configuration, which is used to configure the WhiteSource integration containers. This can be done in a few simple steps:

whitesource webpage view WhiteSource mainpage

whitesource integration view WhiteSource integrations page

Build the WhiteSource containers

$ docker build -t wss-gls-app:19.12.2 whitesource/wss-gls-app/docker
$ docker push wss-gls-app:19.12.2

$ docker build -t wss-scanner:19.12.1.2 whitesource/wss-scanner/docker
$ docker push wss-scanner:19.12.1.2

$ docker build -t wss-remediate:19.12.2 whitesource/wss-remediate/docker
$ docker push wss-remediate:19.12.2

Running the WhiteSource containers

GitLab provides native Kubernetes cluster integration. This means that GitLab allows you to deploy software from GitLab CI/CD pipelines directly to your Kubernetes cluster.

WhiteSource containers can be deployed and managed within the same Kubernetes cluster used to deploy your application, all by running a simple Helm commands.

You can get the INGRESS_URL from your Kubernetes cluster settings

ingress url location Ingress URL location

ingress installation Installing Ingress

helm upgrade -f helm/whitesource/values.yaml --install whitesource-gitlab ./helm/whitesource

Using WhiteSource

Once the WhiteSource plugin has been installed we can add the @whitesource user to the repositories we wish to scan. A merge request (MR) with the .whitesource file will be generated automatically.

WhiteSource will now scan your repository and generate issues for all the vulnerabilities discovered on the main (master) branch. These issues will provide detailed information on the vulnerability as well as how to resolve it. Some issues can even be auto-remediated.

whitesource issue view WhiteSource vulnerability issues

Each time a new MR is pushed, a WhiteSource scan will run, and provide a detailed output.

whitesource merge request view WhiteSource MR scanning

Each link provided by WhiteSource shows detailed information on the vulnerabilities the scan detected:

whitesource web links WhiteSource vulnerability information

WhiteSource can be integrated into the GitLab Security Dashboard so that your security team can manage the status of these vulnerabilites. Access to the Security Dashboard requires a GitLab Ultimate account.

For integrating WhiteSource to the Security Dashboard, add the following to the CI.yaml:

whitesource-security-publisher:
  image: openjdk:8-jdk
  when: manual
  script:
    - curl "{{WEBHOOK_URL}}/securityReport?repoId=$CI_PROJECT_ID&repoName=$CI_PROJECT_NAME&ownerName=$CI_PROJECT_NAMESPACE&branchName=$CI_COMMIT_REF_NAME&defaultBranchName=$CI_DEFAULT_BRANCH&commitId=$CI_COMMIT_SHA" -o gl-dependency-scanning-report-ws.json
  artifacts:
    paths:
      - gl-dependency-scanning-report-ws.json
    reports:
      dependency_scanning:
        - gl-dependency-scanning-report-ws.json
    expire_in: 30 days

For more details on the integration checkout WhiteSource for GitLab. Learn more at DevSecOps and checkout the Secure direction page for more information on the upcoming features and integrations.

Learn more about application security at GitLab

Cover image by Alexandra Avelar on Unsplash

“How to secure your dependencies with GitLab and WhiteSource” – Fernando Diaz

Click to tweet

Open in Web IDE View source