Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Security Integration Videos / 24 Sep 2020
GitLab / Security Integration Videos / 24 Sep 2020
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Technical steps to integrate with GitLab Secure

Description

This video goes over technical steps needed to integrate with GitLab's Secure stage with a 3rd-party product.

High-level workflow points to integrate with: https://www.youtube.com/watch?v=o0icDoSpwEs&list=PL05JrBw4t0KpMqYxJiOLz-uBIr5w-yP4A&index=2&t=0s

Security Scanner integration documentation: https://docs.gitlab.com/ee/development/integrations/secure/

Example project: https://gitlab.com/stkerr/custom-scanner

A

Hello, I'm, Sam, Kirk, I'm, a principal product manager here at get lab, and today I want to talk a little bit more about technical details. Around security integrations with gitlab. In the last video we talked about a few of the different touch points and parts of the user workflow that might make sense for you, as an integrator, to add your products into gitlab and with this video I want us to focus on how this is actually done. So what we're going to do is walk through some of the documentation.

A

The product we'll get an example project and I'll show some helpful steps that might help you get up to speed more quickly. So I'll share my screen, so the page that we're looking at right now. This is the documentation for get lab security scanner. Integration I'll, add a link in the description of the video below, but at a high level. This page is describing everything you'll need to know to integrate your scanner into get lab. The way this is done is by providing a CI job definition file as part of your product integration.

A

That end-users would then include in their own pipelines. This file could have all of the various pieces of business logic. That's needed to specifically run your scanner or any sort of configuration in it. I won't read this entire page to you. Please read it at your own leisure. One thing I do want to highlight, though, because I think it makes it really easy to see how this is done. Is this example here? So what this section is talking about the artifact section. This is showing what gitlab is expecting your product to output.

A

Specifically one of these artifact report artifacts, depending on the type of integration type of product you are, you might use a SAS integration, a dashed integration container scanning or what have you, but what this is doing is it's telling gitlab as part of running the job. In this case, my sex asked that the product will be outputting all of its results into a file and, in this example, called GL SAS report JSON. What get lab does at that point?

A

Is it then takes this Phi reads all of the information inside of it and it displays that information in various places? Much like we talked about in the previous video, with the security dashboard pipeline views, as well as merge requests widgets, notably, the format for this file is also publicly documented. There's links in this page and those links will take you to this repository here. This has all of the JSON schemas that get live currently supports and what their latest status is.

A

If we look at one of them, let's look at the SAS one you'll see this is a JSON schema document and it has all of the supported fields that gitlab has available for security results, as well as a short description, short documentation string for each and every field to help you understand what all of these different places to put information this, for so I'll, add a link to this repository as well in the video description.

A

But let's take a look at an example that might help make this a little bit more real, so we'll go back to the custom scanner project that I talked about last time and let's dig into figuring out how this actually is being done. So what this product is showing is a custom security scanner that I've written, called Sam scan and we're going to integrate the Sam scan results into get lab and into all the various parts of the get lab workflow, and so the way that we're doing this.

A

Let's take a look at the code inside of Sam scan top pie, which is the scanner in your case. This would be the product itself that you're trying to integrate and so Sam scan is pretty basic. So if we scroll the bottom all it's doing its printing, this large JSON object out to the console and that's it.

A

This report object that I'm sharing right here. This is a JSON object that meets the schema requirements that I showed earlier, and this is where, in your own product, you would be taking a user source code scanning that run your own security checks to generate this output yourself, but in the case of Sam scan I've, just pre hard-coded it and we're just printing it to the can line, and so that is the very basic scam scam. So let's actually take a look at how we integrate the results of Sam scan and to get lab.

A

So if we look at our get lab CI mo file, this is what defines the pipeline defines all the jobs that users are going to be running and we can look at what the various stages are being run as part of this. So we're running a test stage, a scanning stage and a validation stage. Our test stage is actually where we're also running SAS in this pipeline.

A

I did want to highlight that, just because you're, adding your own custom scanner doesn't mean that customers cannot run other scanners with their pipeline, and this is really important, because if your scanner is a SAS tool, then your users probably still want to be using DAST and that's totally possible. If we look at what the the scanning stage is, this is where we're actually running Sam scan as part of that pipeline.

A

We can see that we're executing the Python script, saving those results to a file called Sam scan report, dot, JSON and then in the second half of the job that I'm highlighting. Now you can see that we're adding the Sam scan report that JSON file and we're specifying it as a task report artifact, and what this means is that anywhere that DAST results would normally be shown by gitlab.

A

Those results will be taken from that Sam scan file that we're outputting as part of this job, and that's all there is to it that is, the integration of Sam's can begin to get lab if we go and look at the security dashboard for this object will see that all of those vulnerabilities which we looked at earlier are on the security to ask for because get lab has picked them up out of that JSON document and is displaying them here.

A

One thing I do want to highlight that I think will be very hopeful for you, as part of developing. Your own integrations is implementing schema validation against the report, artifacts that your job is producing. This is a quick way to help debug. If you do start seeing issues with the integration or things aren't being displayed correctly.

A

There is a short snippet of code which I'm highlighting now I wrote a short script you're more than welcome to copy it, and all it's doing is it's taking those schema documents that we looked at earlier, downloading them into the repo and running a schema validator against the output report in those schema documents. If the report object that your security product is outputting does not meet the schema, the validate report script here will throw an error.

A

It will tell you why it is not meeting those requirements and then you can take the next step in terms of fixing that to make sure that your output is compliant with the report schemas that Jake that get lab is expecting to see, and so I hope. This was helpful. This was a whirlwind overview of how to integrate your custom security scanner into get lab and take advantage of all the different touch points that we have with our users as part of our workflow again, my name is Sam Kirk I'm at STK at get lab.

A

If you'd like to talk further, always happy to discuss things on an issue and have a great day.