#3 Parsing the Results

Take a look at the results of our pipeline running for the merge request, then merge the code to generate the security reports.

Theme

Following our shift left trend we will see how security results are included throughout each step of the deployment cycle.

  • Step 1: Merge Request Security Results

    • Use the left hand navigation menu to click back into Merge requests and then click the merge request we created earlier.
    • Right below the approvals section we can see that our Code Quality, License Compliance, & Security scanning templates we included have generated full security reports unique to this branch for us to view. These reports are generated with each commit so we always know if we have introduced a new bug before its deployed out and disaster strikes.
    • Go ahead and take some time to expand each report and look through the results, then in the Security scanning section click on any of the critical/high vulnerabilities.
    • From this view we can see exactly where it occurred in the code & read up on why its a risk. After taking a look at this we can click the comment icon at the bottom to state that we checked it out and are not worried, then click Add comment & dismiss.
    • Next we will want to scroll down and merge our code. At the bottom of the request click Merge to kick off our pipeline.
    • Once merged use the left hand navigation menu to click through CICD > Pipelines and click into the most recently kicked off pipeline. At this point you will go on a quick break until the pipeline completes.

  • Step 2: Merge Request Security Results

    • Now that your main pipeline has completed the reports under Security & Compliance have been generated. These reports will only be generated if you run a pipeline against main.
    • Use the left hand navigation menu to click through Security & Compliance -> Security Dashboard. This will bring up a dashboard view of all of the security vulnerabilities & their counts over time so you can track your work as you secure your project. This dashboard takes a long time to collect data so if yours still has no results check out gitlab.com's security dashboard here
    • We have already seen how to view the vulnerabilities in the pipeline view, but now lets use the left hand navigation menu and click through Security & Compliance -> Vulnerability Report to view the full report
    • We are back at the Vulnerability Report where we want to click into any of the critical vulnerabilities present.
    • Here we get more details on where the flaw may have occurred and how to create a new bug issue to get this quickly resolved.

  • Step 3: Preventive Security Policies

    • To prevent this from ever happening in the future we can set up a new policy to run on all future merge requests. For our use case leaked tokens can are easy mistakes that can lead to massive problems so we will create a quick policy to stop that. Use the left hand navigation menu to click through Security & Compliance > Policies and then click New policy. On the resulting page click Select policy under Scan result policy.
    • Add a name to the policy, then under the Rules section we want to change Select scan type to be Security Scan. Next change All scanners to just Secret Detection, Select severity levels to Select all, Select vulnerability states to Newly detected, and lastly All branches to main.
    • Then under actions add yourself as the required approver and click Configure with a merge request. On the resulting merge request click merge and you will be brought to your new policy project that is applied to our workshop application. If you were to create another merge request with the leaked token still in the code based merging would be prevented until it was removed or you added your approval.
    • Before we move on lets go back to our project. Use the breadcrumbs at the top of the screen to click into your group, then once again click into your project.

  • Step 4: Take Action Our Vulnerabilities

    • Now that we have a protective policy in place lets go ahead and ensure it works by removing the Secrets currently in the code base. From the main page our project lets go ahead and click Web IDE
    • Click into the run.py file and add our fake token aws_key_id = "AKIAIOSF0DNN7EXAMPLE" before line 4. Once added click the source control button on the left hand side, add a quick commit message, then click Commit & Push
    • On the resulting drop down click Yes to open a new branch, then click the Enter key. A new popup will appear where we want to then click Create MR
    • Scroll to the bottom, uncheck Delete source branch when merge request is accepted, and click Create merge request
    • On the resulting MR wait for it to complete then notice that our policy is not requiring a review. If time permits we can go ahead and merge our new fix.
Edited by Logan Stucker