GitLab's CIS Benchmark scanner, gitlabcis, is open source and available. The Python CLI tool audits a GitLab project against the Center for Internet Security (CIS) GitLab Benchmark, and delivers recommendations as code formatted in YAML.
In April, we introduced the CIS GitLab Benchmark to improve security and offer hardening recommendations to GitLab's customers. The benchmark is available for download from the CIS website.
In this article, you'll learn:
- How to install and use the gitlabcis scanner
- gitlabcis scanner details
- GitLab scanner and product roadmap
How to install and use the gitlabcis scanner
You can download and install the scanner using pip via pypi, or download the source code from our releases page.
pip install gitlabcis
The scanner takes one positional argument (URL) and then options. The format is: gitlabcis URL OPTIONS
# example: generate a json report
gitlabcis \
https://gitlab.example.com/path/to/project \
-o results.json \
-f json
The full command line options can be found in the documentation.
gitlabcis scanner details
The team extracted all of the recommendation controls from the CIS GitLab Benchmark and created them in YAML to be used as controls as code.
Each control has its own dedicated function to enhance readability. This also allows an individual to observe how the control performs its audit.
Additionally, certain control functions have limitations. We have identified each of these, which can be found in our limitations document.
Currently, the tool only accepts a project URL input. It then only observes configuration at a project level. It does however support administrative controls.
- For example, the 1.1.2 - Code Tracing control attempts to audit "... any change to code can be traced back to its associated task".
- This can be achieved with crosslinking issues in merge requests.
- Merge requests can be found at a project level, group level, or event instance level.
- The scanner currently only checks at the project level.
- See our roadmap, which aims to address this functionality gap.
Contribute to the gitlabcis scanner project.
GitLab scanner and product roadmap
The creation of the scanner allowed us to contribute two features back into the product with the help of the community.
- Show crosslinked/related issues in merge requests via the API
- Groups API: Add Restrict group access by Domain
We want to augment the scanner to be able to accept instances or groups as input. For example, if you host GitLab at: gitlab.example.com, this could be used as an input to check at the instance level if you are compliant against the CIS GitLab Benchmark and the same for groups.
Additionally, certain controls can be set at the instance or group level and trickle down to the project level. There is work ongoing to include this functionality into the scanner. Check out the epic for more information
One important aspect is incorporating this functionality into the GitLab product itself. The GitLab compliance team is working on incorporating the CIS GitLab Benchmark and other standards into the Compliance Adherence Report. This will allow customers real-time reviews of instances, groups, and projects across a wide set of standards, not just CIS.
Learn more about the CIS GitLab Benchmark in our public project.
