Gitlab Pipelines¶
Enabling Boost advisor¶
The Boost advisor let you address your findings backlog easier and faster. With it AppSec team can initiate a finding remediation from the Boost finding view.
The following describe how to set it on Bitbucket SCM.
- Go to the
boostrepository. -
Edit the
.gitlab-ci.ymlto include the following:include: - remote: "https://raw.githubusercontent.com/boostsecurityio/boostsec-scanner-gitlab/main/scanner.yml" boost-scanner: rules: - if: ($CI_PIPELINE_SOURCE == "trigger" && $BOOST_JOB_NAME != "boost-advisor") stage: build extends: - .boost_scan variables: BOOST_API_ENDPOINT: https://api.boostsec.io BOOST_TRIGGER_ID: $BOOST_TRIGGER_ID script: - ${BOOST_EXE} scan trigger ${BOOST_CLI_ARGUMENTS:-} boost-advisor: rules: - if: ($CI_PIPELINE_SOURCE == "trigger" && $BOOST_JOB_NAME == "boost-advisor") stage: build image: ubuntu:latest variables: BOOST_API_KEY: $BOOST_API_TOKEN BOOST_SCM_TOKEN: $BOOST_SCM_TOKEN BOOST_LLM_MODEL: $BOOST_LLM_MODEL BOOST_LLM_KEY: $BOOST_LLM_KEY before_script: - apt-get update -qq && apt-get install -y -qq --no-install-recommends curl ca-certificates script: - curl -sSL https://assets.build.boostsecurity.io/boost-advisor/get-boost-advisor | sh - echo "$BOOST_ADVISOR_PAYLOAD_B64" | base64 -d | /tmp/boost-advisor/latest -
Manual security scans¶
Scanning steps can be added to your GitLab pipeline. A scanning step can be added for example with:
include:
- remote: 'https://raw.githubusercontent.com/boostsecurityio/boostsec-scanner-gitlab/main/scanner.yml'
boost-semgrep:
stage: build
extends:
- .boost_scan
variables:
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/semgrep"
Within this example, the include step loads the Boost Security template into the pipeline making certain extension points available via the extends statement. For instance, in the example above, the .boost_scan extension is loaded, which will install the Boost Security CLI, start docker-in-docker, apply specific rules, and then execute the scan.
The environment variable BOOST_API_TOKEN is required, should be defined within your secrets and should contain the API token created from the dashboard Settings Page.
The variable BOOST_SCANNER_REGISTRY_MODULE specifies the scanner to execute from the module registry. Multiple scanners can be configured in the pipeline as required.
GitLab Pipeline for source scanning¶
This configuration is appropriate for scanner modules for SAST scanning or SBOM inventory from source code.
Note
Even if the workflow is configured to run the SBOM scanner on pull requests, the SBOM scanner does not collect components inventory on pull requests.
- Update your pipeline:
.gitlab-ci.yml:
include:
- remote: 'https://raw.githubusercontent.com/boostsecurityio/boostsec-scanner-gitlab/main/scanner.yml'
boost-sast-scan:
stage: build
extends:
- .boost_scan
variables:
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/semgrep"
boost-sbom-scan:
stage: build
extends:
- .boost_scan
rules:
# execute on pushes to the default branch
- if: ($CI_PIPELINE_SOURCE == "push") && ($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH)
variables:
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/trivy-sbom"
GitLab Pipeline for scanning generated artifacts¶
This configuration is appropriate for scanner modules that scan generated artifacts from the build process. For example, for scanner modules generating SBOM from container images or scanning for vulnerabilities; the container image needs to be generated first.
- Add the Boost Security scanner module-related stanza to your build workflow.
An example of workflow configuration for container image scanning is provided below.
include:
- remote: 'https://raw.githubusercontent.com/boostsecurityio/boostsec-scanner-gitlab/main/scanner.yml'
boost-sast-scan:
stage: build
extends:
- .boost_scan
script:
- docker build . -t ${BOOST_IMAGE_NAME}
- !reference [.boost_scan, script]
variables:
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/trivy-image"
BOOST_IMAGE_NAME: acme-analytics