Scan GitLab and Runner configs for security issues in IaC Scanning

Release notes

Problem to solve

The groupstatic analysis group is getting ready to release an MVC which provides coverage for IaC tools. This MVC will provide support for the most common tools we think of when it comes to IaC - terraform, ansible, cloud formation, etc. However, GitLab can also be thought of as an IaC tool.

Proposal

We should consider SAST support for GitLab CI and runner. These resources are configured via YAML and TOML files, which are formats used by tools already supported by the scanner we have chosen: kics. It would be neat to provide rules specific to GitLab configurations.

Intended Users

• Cameron (Compliance Manager)
• Delaney (Development Team Lead)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)
• Sam (Security Analyst)
• Alex (Security Operations Engineer)
• Allison (Application Ops)

Metrics

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.