feat(ci): implement comprehensive security scanning pipeline

GitLab Demorequested to merge
feat/add-security-scanning into main

🔒 Security Scanning Implementation

This MR adds comprehensive security scanning to the CI/CD pipeline to proactively identify and manage security vulnerabilities.

📋 Changes

Security Scanners Added

  • Dependency Scanning - Scans npm packages for known vulnerabilities
  • SAST (Static Application Security Testing) - Analyzes JavaScript code for security issues
  • Secret Detection - Detects exposed credentials, API keys, and tokens
  • Container Scanning - Scans Docker images for vulnerabilities

Pipeline Configuration

  • Created .gitlab-ci.yml with security scanning stages
  • Configured Docker image build for container scanning
  • Set up appropriate exclusion paths for scanners
  • Enabled security scanning on main branch and merge requests

🎯 What This Enables

Vulnerability Management

  • Security Dashboard: View all vulnerabilities at Project → Security & Compliance → Vulnerability Report
  • MR Security Widget: See new vulnerabilities introduced in each merge request
  • Dependency List: Track all project dependencies and their security status
  • Pipeline Security Tab: Review security scan results for each pipeline run

Automated Detection

  • Dependency vulnerabilities in npm packages (e.g., outdated Express, vulnerable libraries)
  • Code security issues (e.g., injection vulnerabilities, insecure patterns)
  • Exposed secrets (e.g., API keys, tokens, passwords)
  • Container vulnerabilities (e.g., outdated Alpine packages, Node.js CVEs)

🔍 How to Use

After Merge

  1. Pipeline runs automatically on every push and MR
  2. Check Security Dashboard: Project → Security & Compliance → Vulnerability Report
  3. Review findings in merge request security widget
  4. Triage vulnerabilities using GitLab's vulnerability management tools

Viewing Results

  • In Merge Requests: Security widget shows new vulnerabilities
  • In Pipelines: Security tab shows all scan results
  • In Security Dashboard: Comprehensive view of all vulnerabilities
  • In Dependency List: All dependencies with security status

📊 Scanner Details

Scanner Scans Detects Runs On
Dependency Scanning package.json, package-lock.json npm package vulnerabilities Every pipeline
SAST JavaScript files Code security issues Every pipeline
Secret Detection All repository files Exposed credentials Every pipeline
Container Scanning Docker images Image vulnerabilities Every pipeline

⚙️ Configuration

Exclusion Paths

The following paths are excluded from scanning to reduce noise:

  • node_modules/ - Third-party dependencies
  • public/ - Built static files
  • docs/ - Documentation files

Scan Triggers

Security scans run on:

  • Main branch pushes
  • Merge request creation/updates
  • Manual pipeline triggers

🚀 Next Steps

After this MR is merged:

  1. Monitor first scan results in the Security Dashboard
  2. Review any findings and triage vulnerabilities
  3. Set up security policies (optional) for automated responses
  4. Configure notifications for new vulnerabilities (optional)

📚 Documentation

For more information:

Testing

  • Pipeline configuration validated
  • Security scanners configured correctly
  • Exclusion paths set appropriately
  • Docker build configured for container scanning

Note: This requires a GitLab Ultimate license for full vulnerability management features. The scanners will run on Premium/Free tiers, but vulnerability reporting and management tools require Ultimate.

Merge request reports