Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Security Department / 12 Jun 2021
GitLab / Security Department / 12 Jun 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: June update on the GitLab Inventory Builder

Description

Philippe Lafoucrière, Engineer in the Security Department, introduces the GitLab Inventory Build, and the current progress on the project.


Links:

- GitLab Inventory Builder: https://gitlab.com/gitlab-com/gl-security/engineering-and-research/gib
- Example inventory: https://gitlab.com/gitlab-com/gl-security/engineering-and-research/inventory-example
- OKR: https://gitlab.com/groups/gitlab-com/gl-security/-/epics/106
- Issue to share your ideas: https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/162
- Categories MR: https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/83315/

A

Hi, I'm philipp security engineer at gitlab and today we're going to talk about my okr, the github inventory builder.

A

This is something that I started at the beginning of the quarter, so the project is kind of brand new, but I already got a lot of questions from various team members inside the security department and outside of the security department. So I'm trying to answer all these questions in this video. So why did we create this inventory in the first place?

A

Let me show my screen real, quick.

A

So if we take, for example, the gitlab project uh that we all know uh who sit under our gitlab org slash git lab, if we want to see all the dependencies of this project, we have this dependency list page here. uh The dependency list is using the dependency scanning feature and relies on the pipeline running on this project. The problem here is, if I want to know exactly what are the dependencies running, I have to browse 180 pages and there is no search in there.

A

There is no way to search for a very specific dependency, so imagine that at the scale of gitlab, where we have thousands of projects involved in the build of gitlab itself and shipping github itself, it's rather impossible to figure out if we are using a very specific dependency and a very specific version of that dependency.

A

So we started from this problem and I got this other problem a few months ago, where we discovered the cv on the very specific version of go, and I was not able to very easily figure out where this go version was used and if it was used how it was used in which context.

A

So it took me approximately five to six months to get rid of this uh of this problem, and I had to ask around pretty much every single team if they were using uh disco version and we discovered that we are using actually go 115 at that time. In all of these projects, I had to do this work manually, and that was very tedious. I don't want to do that again in the future.

A

If we have another visually on, go or python or ruby or whatever, we need to know exactly what we're using and where it's used. So that's why I started this project. The github inventory builder currently residing in the engineering and research sub department, where I'm working it's a very simple project. I like efficiency- and I started this project with this conference in mind. I didn't want to start something shipping with gitlab directly in the rails application, because I wanted to ship something as fast as it could, because I just have required to experiment with that.

A

So it's something on the side, but it's very simple to use, and actually you can already use that today and any of our customers could use that today if they want what they need, is only a gitlab ci configuration file in an empty project and include this template here that I created this template defines a lot of variables so that you can configure uh how you want to run this inventory builder and the other part of the configuration is this data structure.

A

So every everything is done through a tree structure within this data deer, which is the root of the data folder that we want to to synchronize and every folder in there is going to be synchronized. That's exactly the three structure that we have on gitlab.com. We have a gita.com project, the github.org project and, for example, I already created these two subdirectories, because I don't want to synchronize them.

A

But if I run the gitlab inventory builder on this, it's going to synchronize all the subgroups, all the subprojects within gitlab.com and gita.org, and so for every single project and subgroups that we're going to synchronize I'm going to store the metadata of the project within the tree structure, along with the group metadata and the point of all of these is to be able to categorize the projects. So there's this merge request that is currently in a draft mode, because I'm still working on the different categories and how we are going to work with these categories.

A

So I already defined a few categories here to get started and based on these categories, I define two things. First, one is rules, so rules are actions based on categories, so, for example, if it's a product project, so something that is involved um in the final package of gitlab, it's something that's going to ship with gitlab the rule is. I want to download different arbitrary reports.

A

I want to download all the dependencies and I want to download the ci cd configuration so basically a flat version of the gitlab ci configuration file.

A

I also want to define some policies based on these categories, so, for example, if um the project is a website external meaning, it's a user-facing application and it's dealing with yellow or render or red data, then we will require you to enable dust. What I'm doing with that? Is I'm trying to write down all the rules that were trying to apply every day as part of the security team, but they are not enforced and they are not very specifically defined anywhere, whether in the end book or documentation or anywhere else. It's just the case.

A

By case we evaluate every single projects that we are working with and we define if we want, we have secret detection. If we want, we have sas or dependency scanning, and we have to do that over and over again. The problem is not only. We don't have a consistency by doing this kind of workflow, but also we also have um a lot of dark corners. We have a lot of projects that were not able to monitor correctly because they are just not on our radar. Projects are created almost every day at gitlab.

A

We have a lot of engineering of of engineers of departments and, at the scale of git, lab it's becoming quite impossible to following everything that is occurring. So that's a good way to not only track what's happening, but also being able to say. Okay, we have these changes this week. We need to understand what they are referring to, how this project is used.

A

Maybe it's just a demo or test or a poc, and then there's nothing to do for us, but at least we categorize the process, the project as such, and we know in the future that this project is known as demo project and whatever happens in there is not going to impact us and we don't have to worry about this vulnerability report, for example, but for all the others, that's a good way to centralize and to gather all the data that we need to work on on a daily basis in a single location.

A

So not only we have all the dependencies of all the projects that we want to monitor, but we also download all the video reports. So we have a very unique way to create a dashboard by cherry picking the projects that we want to um to monitor within gitlab.com.org and so on, because we have a lot of different projects under the root namespaces that we want to to track.

A

I created here a public example of how to build an inventory, so I started with an empty project and I just added, of course, a redmi 5 to explain what's going on there, but there's also a gitlab ci configuration file using exactly what I was showing. So we include the template and I did a few tweaks by overwriting some variables defined in this template. That's all it takes to get started and I also created this data folder with this structure.

A

So actually I'm going to use the web ide to show you the structure, that's going to be easier to explain there we go um in the data folder, we have the gitlab.org root namespace. So that means we want to synchronize things in there. But there's an ignore file here. So the gitlab inventory builder will just stop the synchronization at this point and not try to download everything. That is under gitlab or but we also have this uh five minute production app, which is actually a real um project.

A

A real group on the architect board- and I added this gif- keep fine, because I want to keep this folder empty so that empty folder is going to be synchronized by the gitlab inventory builder. So we can see that everything is happening in the pipeline and uh it's going to validate that uh update that uh and a few things that we're going to see right after that. But it's also going to create a merge request with all the synchronization that are in there.

A

So I can review that and you can see that we actually added a lot of different projects under this five minute production app. So I can review all of these changes and if everything is fine with me, then I just can go ahead and merge that and start categorizing all of these projects.

A

I can say, for example, I don't care about everything that is under our examples, so I can delete all the sub projects in there and I don't need not far in there, but otherwise I can just go ahead and brush that, as I was saying in the pipeline, we're doing a few more things and that's what I started to experiment this week.

A

Since we are able to categorize the projects and, for example, we can say that's a website and it's a user-facing website and it has write data. For example.

A

I can also add some urls directly to the properties file that we're using to categorize the projects and since we're using this url somewhere in the repo, I can just grab these errors and generate an artifact that will contain a list of yours, never mind, and with this uh with this list of urls, what I can do is I can start checking all the ssl configurations, and so I have this job generating.

A

Some reports.

A

For example, here for customers.github.com, I have a lot of details in there and what I want to do in the future is start working with this overwork great here, that's a b, so I want to create a policy. For example, that will say if it's a website user facing so external and using yellow orange or red data.

A

The grades here can't be lower than a that's something that we can do very easily planning to do to use opa for that, and it's actually super easy, because I also generate the report as json. So I just need to pass this json file and look for the grid in there and check if it's a or not so. That's where I am today.

A

If you want to contribute, uh feel free to check out the gitlab inventory builder project, I will share the links in the description of the video there's. Also, the main occur that I'm working on here and there's an issue in their ids for future iterations.

A

So if you have any id for this project, for example, uh using dependencies to do anything, then I would be happy to discuss that with you directly in that issue. Don't forget to pick me in there, so that's it for today, thanks for watching and again, if you have any questions, feel free to reach out to me directly.

A

Bye.