Skip to content

Integrate GitLab with BoostSecurity

BoostSecurity lets you connect your GitLab instance to scan repositories, provision security scanners onto the repositories, and merge commits for security issues.

Prerequisites

To integrate GitLab into BoostSecurity, you will need the following:

  • Create a GitLab access token with the api scope selected. This access token can be:

    In all cases, the token must have the api scope enabled.

    • It is advised that a protected, non-human GitLab account (such as a service account or bot user) be used to generate the token. Using a token tied to an individual's personal account increases the risk of the integration breaking if that user is offboarded or removed due to internal changes.

    • The entity associated with the token (whether personal, group, or service account) must have Owner permissions for the repositories within the GitLab groups being ingested into Boost.

  • Create a boost repository within your organization's SCM, which should contain a README.md file. To do this, go to your GitLab organization where you installed BoostSecurity and create a new boost project that contains a Readme file.

    GitLab Boost Repo

    • Ensure that at least boost repository owners can define pipeline variables. That is in GitLab Settings --> CI/CD --> Variables set the minimal role to use pipeline variables to the owner role.

    GitLab Define Pipeline Variable

1. Connect GitLab to BoostSecurity

To install the BoostSecurity integration for GitLab:

  1. Navigate to the Integrations page.

  2. Select the GitLab integration from the Available section and select the Install button.

    Select GitLab

  3. A window directs to providing the Access Token to GitLab. Provide the Access Token with the api scope selected and select Next.

    Installation

  4. Select the Group in GitLab: Once the Access Token is provided, the GitLab Group, which enables the integration, needs to be selected from the menu.

    Group

  5. Select Complete.

Once the installation is completed, the BoostSecurity GitLab card is added to the Settings > Integrations > Installed section. At this point, BoostSecurity integration is enabled for your GitLab group. Note that the steps can be repeated to allow integration with additional GitLab groups.

2. Zero Touch Provisioning for GitLab

  1. Go to the Integrations page, select your GitLab integration and click on the configuration tab.

  2. On the ZTP column, you will notice that the status is set to Not Set. Click on the menu next to the status and select Enable.

    GitLab Enable ZTP

  3. The ZTP wizard configures your GitLab organization's boost repository, where the GitLab pipeline definition (.gitlab-ci.yml) is located.

    Configure boost repo

  4. Select the boost repository on your organization from the dropdown as shown above and click the Next button.

  5. Authorize the BoostSecurity.io CI provisioning on all organizations. Click on the Authorize button at the bottom of the page.

    Authorize

  6. The pipeline configuration is complete following a successful CI pipeline setup!

    Note

    By clicking the Enable Boost Recommended Scanners button, Boost will provision multiple scanners for every repository it has access to. These scanners will then request new scans to be conducted for each of those repositories. Please note that this process would have a financial impact on your services, so ensure that this is the correct course of action before proceeding.

    If you are connecting to a large collection of repos, you may want to enable scanning in a more targeted manner.

Zero Touch Provisioning is now enabled!!!

3. Default Scanner Protection

After successfully integrating into your GitLab organization, enabling the BoostSecurity scanner is recommended.

To do this,

  1. Navigate to the Scanner Coverage page and select the Default Scanner Protection column for your GitLab integration.

  2. Toggle SBOM, SAST, SCA, or Secrets to enable the BoostSecurity Scanner default protection on your GitLab resource..

    Enable CI/CD Scanner

Edit an installed BoostSecurity GitLab Integration

In the event an adjustment needs to be made to an installed GitLab Integration, the following instructions are provided:

  1. Navigate to the Integrations page.

  2. Click on the GitLab Integration Card underneath the Installed section.

    GitLab Installed Integration Card

  3. Click the Configuration tab.

    GitLab Installed Integration Card Drawer Overview

  4. Click the pencil icon associated with the GitLab Integration you wish to edit.

    GitLab Installed Integration Card Drawer Configuration

  5. Provide an Access Token that has the api scope and click Update.

    GitLab Installed Integration Card Drawer Configuration