Skip to content

Gitlab Pipelines

Scanning steps can be added to your GitLab pipeline. A scanning step can be added for example with:

include:
  - remote: 'https://raw.githubusercontent.com/boostsecurityio/boostsec-scanner-gitlab/main/scanner.yml'

boost-semgrep:
  stage: build
  extends:
    - .boost_scan
  variables:
    BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/semgrep"

Within this example, the include step loads the BoostSecurity template into the pipeline making certain extension points available via the extends statement. For instance, in the example above, the .boost_scan extension is loaded, which will install the BoostSecurity CLI, start docker-in-docker, apply specific rules, and then execute the scan.

The environment variable BOOST_API_TOKEN is required, should be defined within your secrets and should contain the API token created from the dashboard Settings Page.

The variable BOOST_SCANNER_REGISTRY_MODULE specifies the scanner to execute from the module registry. Multiple scanners can be configured in the pipeline as required.

GitLab Pipeline for source scanning

This configuration is appropriate for scanner modules for SAST scanning or SBOM inventory from source code.

Note

Even if the workflow is configured to run the SBOM scanner on pull requests, the SBOM scanner does not collect components inventory on pull requests.

  • Update your pipeline: .gitlab-ci.yml:
include:
  - remote: 'https://raw.githubusercontent.com/boostsecurityio/boostsec-scanner-gitlab/main/scanner.yml'

boost-sast-scan:
  stage: build
  extends:
    - .boost_scan
  variables:
    BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/semgrep"

boost-sbom-scan:
  stage: build
  extends:
    - .boost_scan
  rules:
    # execute on pushes to the default branch
    - if: ($CI_PIPELINE_SOURCE == "push") && ($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH)
  variables:
    BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/trivy-sbom"

GitLab Pipeline for scanning generated artifacts

This configuration is appropriate for scanner modules that scan generated artifacts from the build process. For example, for scanner modules generating SBOM from container images or scanning for vulnerabilities; the container image needs to be generated first.

  • Add the BoostSecurity scanner module-related stanza to your build workflow.

An example of workflow configuration for container image scanning is provided below.

include:
  - remote: 'https://raw.githubusercontent.com/boostsecurityio/boostsec-scanner-gitlab/main/scanner.yml'

boost-sast-scan:
  stage: build
  extends:
    - .boost_scan
  script:
    - docker build . -t ${BOOST_IMAGE_NAME}
    - !reference [.boost_scan, script]
  variables:
    BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/trivy-image"
    BOOST_IMAGE_NAME: acme-analytics