►
From YouTube: Technical steps to integrate with GitLab Secure
Description
This video goes over technical steps needed to integrate with GitLab's Secure stage with a 3rd-party product.
High-level workflow points to integrate with: https://www.youtube.com/watch?v=o0icDoSpwEs&list=PL05JrBw4t0KpMqYxJiOLz-uBIr5w-yP4A&index=2&t=0s
Security Scanner integration documentation: https://docs.gitlab.com/ee/development/integrations/secure/
Example project: https://gitlab.com/stkerr/custom-scanner
A
Hello,
I'm,
Sam,
Kirk,
I'm,
a
principal
product
manager
here
at
get
lab,
and
today
I
want
to
talk
a
little
bit
more
about
technical
details.
Around
security
integrations
with
gitlab.
In
the
last
video
we
talked
about
a
few
of
the
different
touch
points
and
parts
of
the
user
workflow
that
might
make
sense
for
you,
as
an
integrator,
to
add
your
products
into
gitlab
and
with
this
video
I
want
us
to
focus
on
how
this
is
actually
done.
So
what
we're
going
to
do
is
walk
through
some
of
the
documentation.
A
The
product
we'll
get
an
example
project
and
I'll
show
some
helpful
steps
that
might
help
you
get
up
to
speed
more
quickly.
So
I'll
share
my
screen,
so
the
page
that
we're
looking
at
right
now.
This
is
the
documentation
for
get
lab
security
scanner.
Integration
I'll,
add
a
link
in
the
description
of
the
video
below,
but
at
a
high
level.
This
page
is
describing
everything
you'll
need
to
know
to
integrate
your
scanner
into
get
lab.
The
way
this
is
done
is
by
providing
a
CI
job
definition
file
as
part
of
your
product
integration.
A
That
end-users
would
then
include
in
their
own
pipelines.
This
file
could
have
all
of
the
various
pieces
of
business
logic.
That's
needed
to
specifically
run
your
scanner
or
any
sort
of
configuration
in
it.
I
won't
read
this
entire
page
to
you.
Please
read
it
at
your
own
leisure.
One
thing
I
do
want
to
highlight,
though,
because
I
think
it
makes
it
really
easy
to
see
how
this
is
done.
Is
this
example
here?
So
what
this
section
is
talking
about
the
artifact
section.
This
is
showing
what
gitlab
is
expecting
your
product
to
output.
A
Specifically
one
of
these
artifact
report
artifacts,
depending
on
the
type
of
integration
type
of
product
you
are,
you
might
use
a
SAS
integration,
a
dashed
integration
container
scanning
or
what
have
you,
but
what
this
is
doing
is
it's
telling
gitlab
as
part
of
running
the
job.
In
this
case,
my
sex
asked
that
the
product
will
be
outputting
all
of
its
results
into
a
file
and,
in
this
example,
called
GL
SAS
report
JSON.
What
get
lab
does
at
that
point?
A
Is
it
then
takes
this
Phi
reads
all
of
the
information
inside
of
it
and
it
displays
that
information
in
various
places?
Much
like
we
talked
about
in
the
previous
video,
with
the
security
dashboard
pipeline
views,
as
well
as
merge
requests
widgets,
notably,
the
format
for
this
file
is
also
publicly
documented.
There's
links
in
this
page
and
those
links
will
take
you
to
this
repository
here.
This
has
all
of
the
JSON
schemas
that
get
live
currently
supports
and
what
their
latest
status
is.
A
But
let's
take
a
look
at
an
example
that
might
help
make
this
a
little
bit
more
real,
so
we'll
go
back
to
the
custom
scanner
project
that
I
talked
about
last
time
and
let's
dig
into
figuring
out
how
this
actually
is
being
done.
So
what
this
product
is
showing
is
a
custom
security
scanner
that
I've
written,
called
Sam
scan
and
we're
going
to
integrate
the
Sam
scan
results
into
get
lab
and
into
all
the
various
parts
of
the
get
lab
workflow,
and
so
the
way
that
we're
doing
this.
A
Let's
take
a
look
at
the
code
inside
of
Sam
scan
top
pie,
which
is
the
scanner
in
your
case.
This
would
be
the
product
itself
that
you're
trying
to
integrate
and
so
Sam
scan
is
pretty
basic.
So
if
we
scroll
the
bottom
all
it's
doing
its
printing,
this
large
JSON
object
out
to
the
console
and
that's
it.
A
This
report
object
that
I'm
sharing
right
here.
This
is
a
JSON
object
that
meets
the
schema
requirements
that
I
showed
earlier,
and
this
is
where,
in
your
own
product,
you
would
be
taking
a
user
source
code
scanning
that
run
your
own
security
checks
to
generate
this
output
yourself,
but
in
the
case
of
Sam
scan
I've,
just
pre
hard-coded
it
and
we're
just
printing
it
to
the
can
line,
and
so
that
is
the
very
basic
scam
scam.
So
let's
actually
take
a
look
at
how
we
integrate
the
results
of
Sam
scan
and
to
get
lab.
A
So
if
we
look
at
our
get
lab
CI
mo
file,
this
is
what
defines
the
pipeline
defines
all
the
jobs
that
users
are
going
to
be
running
and
we
can
look
at
what
the
various
stages
are
being
run
as
part
of
this.
So
we're
running
a
test
stage,
a
scanning
stage
and
a
validation
stage.
Our
test
stage
is
actually
where
we're
also
running
SAS
in
this
pipeline.
A
I
did
want
to
highlight
that,
just
because
you're,
adding
your
own
custom
scanner
doesn't
mean
that
customers
cannot
run
other
scanners
with
their
pipeline,
and
this
is
really
important,
because
if
your
scanner
is
a
SAS
tool,
then
your
users
probably
still
want
to
be
using
DAST
and
that's
totally
possible.
If
we
look
at
what
the
the
scanning
stage
is,
this
is
where
we're
actually
running
Sam
scan
as
part
of
that
pipeline.
A
We
can
see
that
we're
executing
the
Python
script,
saving
those
results
to
a
file
called
Sam
scan
report,
dot,
JSON
and
then
in
the
second
half
of
the
job
that
I'm
highlighting.
Now
you
can
see
that
we're
adding
the
Sam
scan
report
that
JSON
file
and
we're
specifying
it
as
a
task
report
artifact,
and
what
this
means
is
that
anywhere
that
DAST
results
would
normally
be
shown
by
gitlab.
A
One
thing
I
do
want
to
highlight
that
I
think
will
be
very
hopeful
for
you,
as
part
of
developing.
Your
own
integrations
is
implementing
schema
validation
against
the
report,
artifacts
that
your
job
is
producing.
This
is
a
quick
way
to
help
debug.
If
you
do
start
seeing
issues
with
the
integration
or
things
aren't
being
displayed
correctly.
A
There
is
a
short
snippet
of
code
which
I'm
highlighting
now
I
wrote
a
short
script
you're
more
than
welcome
to
copy
it,
and
all
it's
doing
is
it's
taking
those
schema
documents
that
we
looked
at
earlier,
downloading
them
into
the
repo
and
running
a
schema
validator
against
the
output
report
in
those
schema
documents.
If
the
report
object
that
your
security
product
is
outputting
does
not
meet
the
schema,
the
validate
report
script
here
will
throw
an
error.
A
It
will
tell
you
why
it
is
not
meeting
those
requirements
and
then
you
can
take
the
next
step
in
terms
of
fixing
that
to
make
sure
that
your
output
is
compliant
with
the
report
schemas
that
Jake
that
get
lab
is
expecting
to
see,
and
so
I
hope.
This
was
helpful.
This
was
a
whirlwind
overview
of
how
to
integrate
your
custom
security
scanner
into
get
lab
and
take
advantage
of
all
the
different
touch
points
that
we
have
with
our
users
as
part
of
our
workflow
again,
my
name
is
Sam
Kirk
I'm
at
STK
at
get
lab.