Security/Application Security Pipeline

Purpose
This document provides guidance on how to implement security into the CI/CD pipeline, leveraging both GitLab's integrated tools and custom tools provided and developed by the Security Team.

In an effort to improve application security testing, our goal has been to “shift left” to remove more vulnerabilities earlier. The idea is to empower the developers to find and fix vulnerabilities earlier in the software development lifecycle, when changes are less costly and more timely.

With security embedded into the development workflow, developers can get feedback on the security of their code as they are working, they can remediate in real time, and free up the security team’s time to focus on monitoring issues, assessing risk, and solving vulnerabilities that can’t be fixed by the developer. By continuously testing even small, incremental code changes, an avalanche of work is avoided at the end of the SDLC.

Static Application Security Testing (SAST)
GitLab CI/CD allows to use Static Application Security Testing (SAST) to check your source code for known vulnerabilities. If the pipeline is associated with a merge request, the SAST analysis is compared with the results of the target branch’s analysis (if available). The results of that comparison are shown in the merge request. If the pipeline is running from the default branch, the results of the SAST analysis are available under Menu > Project > CI/CD > Pipelines.

How to configure SAST
To enable and configure SAST with default settings:
 * 1) On the top bar, select Menu > Projects and find your project.
 * 2) On the left sidebar, select Security & Compliance > Configuration.
 * 3) In the SAST section, select.
 * 4) Review the draft MR that enables SAST with the default recommended settings in the   file.
 * 5) Merge the MR to enable SAST. You should see SAST jobs run in that MR’s pipeline.

Use Cases

 * Allows security flaws to be fixed early, when less expensive, removes context-switching, and minimizes risk by preventing vulnerabilities from reaching production.
 * Reduces security and compliance risks.
 * Your code has a potentially dangerous attribute in a class, or unsafe code that can lead to unintended code execution.

Multi-project support
GitLab's integrated SAST tools can scan repositories that contain multiple projects.

The following analyzers have multi-project support:


 * Bandit
 * ESLint
 * Gosec
 * Kubesec
 * NodeJsScan
 * MobSF
 * PMD
 * Security Code Scan
 * Semgrep
 * SpotBugs
 * Sobelow

Known Guides and Documentation

 * Configure SAST in the UI with default settings