Skip to main content

GitLab CI

Out-of-the-box, DerScanner supports a webhook integration with GitLab, that will be sufficient to launch scans on conditions (learn more in VCS Hostings).

If you want to build DerScanner into your GitLab CI to serve as a Quality Gate, it requires a more thorough setup through scripting. Script examples can be found in the distribution package.

Example of configuration using API

In the scope of a test pipeline (gitlab-api.zip), the project is scanned by the SAST, DAST, and SCA modules.

Stages:

  • build — project build
  • test — running unit tests
  • deploy — deployment to the target environment
  • run — deployment and launch for DAST analysis
  • SAST — SAST analysis
  • DAST — DAST analysis
  • SCA — SCA analysis

Module’s jobs:

  • SAST:start_scan — initiate SAST scanning
  • DAST:create_project — create DAST project
  • DAST:start_scan — initiate DAST scanning
  • SCA:create_project — create SCA project
  • SCA:create_sbom — generate SBOM file
  • SCA:start_scan_sbom — initiate SCA scanning with an SBOM file
  • SCA:start_scan_archive — initiate SCA scanning with an archive

Common jobs:

  • status_scan — check scan status with a job timeout limitation
  • check_rate_scan — verify scan results against specified conditions
  • get_summary — generate a scan summary
  • report — generate reports in PDF and CSV formats

User-editable variables::

  • API_V1_URL — REST URL of the application, e.g.: http://10.0.2.6/app/api/v1
  • TOKEN — authentication token
  • LANGUAGES — scan languages for SAST analysis
  • TARGET_URL — application URL for DAST analysis
  • SCA_SCAN_TYPE — SCA scan type selection: archive or sbom
  • MIN_RATING_SAST — minimum score for SAST
  • MIN_RATING_DAST — minimum score for DAST
  • MIN_RATING_SCA — minimum score for SCA
  • MAX_CRIT_SAST — maximum allowed number of critical vulnerabilities in the code for SAST
  • MAX_CRIT_DAST — maximum allowed number of critical vulnerabilities in the code for DAST
  • MAX_CRIT_SCA — maximum allowed number of critical vulnerabilities in for SCA

Please notice: sensitive variables must be stored either in specialized services or in the project/group's hidden variables.

Remarks:

To run SCA scan using an archive or an SBOM file, you need to specify the value of the SCA_SCAN_TYPE variable as sbom or archive.

To run all DAST scans (similarly for SCA) within a single project, remove DAST:create_project and set the following global variables:

  • DAST_PROJECT_ID
  • DAST_PROJECT_UUID

For SAST, only SAST_PROJECT_UUID needs to be set. Values for PROJECT_ID and PROJECT_UUID for each module can be obtained via the API or the interface after the first scan or after creating an empty project.

Example of configuration using CLT

In the scope of a test pipeline (gitlab-clt.zip), the project is scanned by the SAST, DAST, and SCA modules.

Stages:

  • build — project build
  • test — running unit tests
  • deploy — deployment to the target environment
  • run — deployment and launch for DAST analysis
  • SAST — SAST analysis
  • DAST — DAST analysis
  • SCA — SCA analysis

Module’s jobs:

  • SAST:start_scan — initiate SAST scanning
  • DAST:create_project — create DAST project
  • DAST:start_scan — initiate DAST scanning
  • SCA:create_project — create SCA project
  • SCA:create_sbom — generate SBOM file
  • SCA:start_scan_sbom — initiate SCA scanning with an SBOM file
  • SCA:start_scan_archive — initiate SCA scanning with an archive

Common jobs:

  • status_scan — check scan status with a job timeout limitation
  • check_rate_scan — verify scan results against specified conditions
  • report — generate reports in PDF and CSV formats

User-editable variables::

  • API_V1_URL — REST URL of the application, e.g.: http://10.0.2.6/app/api/v1
  • TOKEN — authentication token
  • CLT_URL — URL for clt.jar
  • LANGUAGES — scan languages for SAST analysis
  • TARGET_URL — application URL for DAST analysis
  • SCA_SCAN_TYPE — SCA scan type selection: archive or sbom
  • MIN_RATING_SAST — minimum score for SAST
  • MIN_RATING_DAST — minimum score for DAST
  • MIN_RATING_SCA — minimum score for SCA

Please notice: sensitive variables must be stored either in specialized services or in the project/group's hidden variables.

Remarks:

To run SCA scan using an archive or an SBOM file, you need to specify the value of the SCA_SCAN_TYPE variable as sbom or archive.

To run all DAST scans (similarly for SCA) within a single project, remove DAST:create_project and set the following global variables:

  • DAST_PROJECT_ID
  • DAST_PROJECT_UUID

For SAST scan, you need to add the -uuid ${SAST_PROJECT_UUID} for CLT to SAST:start_scan variable. Values for PROJECT_ID and PROJECT_UUID for each module can be obtained via the CLT, API or the interface after the first scan or after creating an empty project.