How to action security vulnerabilities in GitLab Premium

Sam Morris, Noah Ing ·
Mar 13, 2023 · 4 min read

GitLab Premium features several security scanners you can leverage to detect vulnerabilities. However, when you incorporate the scanners into your project pipelines and the scanning job succeeds, you'll want feedback on whether you are introducing vulnerabilities into the codebase. This tutorial provides a mechanism to require a merge request approval if a scanner available on GitLab Premium finds a critical vulnerability.

While this tutorial shows how to add some process around actioning vulnerabilities, we have more robust, governed, and user-friendly functionality available in GitLab Ultimate called a Scan Result Policy. The solution outlined here does not seek to replace that functionality, but rather augment the scan results available in GitLab Premium. If you are an Ultimate user or if you want to compare the two experiences, then you should check out this video introduction instead.

Learn how to do the following:

  1. Set up a .gitlab-ci.yml
  2. Add in a vulnerability processing script
  3. Require approval if vulnerabilities are found

Prerequisites

Setup the gitlab-ci.yml

This is how the GitLab CI pipeline of our test project looks visually. Below we will break down the individual stages.

Add the following to your .gitlab-ci.yml:

secret_detection:
  artifacts:
    paths:
      - gl-secret-detection-report.json

process_secret_detection:
   image: python:3.7-alpine3.9
   stage: process_vulns
   needs:
    - job: secret_detection
      artifacts: true
   before_script:
      pip install python-gitlab
   script:
     - python3 process_vulns.py gl-secret-detection-report.json $PROJECT_ACCESS_TOKEN $CI_PROJECT_ID $CI_COMMIT_SHA

A breakdown of what is going on above:

Create a project access token

To create a project access token:

  1. On the top bar, select Main menu > Projects and find your project.
  2. On the left sidebar, select Settings > Access Tokens.
  3. Enter a name. The token name is visible to any user with permissions to view the project.
  4. Optional. Enter an expiry date for the token. The token expires on that date at midnight UTC. An instance-wide maximum lifetime setting can limit the maximum allowable lifetime in self-managed instances.
  5. Select a role for the token.
  6. Select the desired scopes.
  7. Select Create project access token.
  8. Add this newly created project access token to your CI/CD variables in your project settings!

Add in the vulnerability processing script

[The process_vulns.py script can be found here.]((https://gitlab.com/gl-demo-premium-smorris/secure-premium-app/-/blob/main/process_vulns.py) Copy that file into your project.

The goal of this script is to require approval from an author (or group of authors) if a critical vulnerability is found.

Note: You will need to change the user ID in the process_vulns.py to match the user ID of your designated Approver at your organization.

The following is a breakdown of what the script is doing:

Run the pipeline and voila! Your pipeline now requires approvers if a critical vulnerability is found!

Demo

Watch a video demonstration of how to action security vulnerabilities in GitLab Premium, presented by Sam Morris:

Caveats

References

Cover image by Christopher Burns on Unsplash.

Edit this page View source