一、靜態應用程序安全測試(SAST)
將以下內容添加到您的.gitlab-ci.yml文件中
sast:
stage: sast
tags:
- maven
script:
- export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
- docker run --rm
--env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
--volume "$PWD":/code
--volume /etc/localtime:/etc/localtime:ro
--volume /var/run/docker.sock:/var/run/docker.sock
"registry.gitlab.com/gitlab-org/security-products/sast:${SP_VERSION}" /app/bin/run /code
artifacts:
reports:
sast: gl-sast-report.json
二、依賴項掃描
將以下內容添加到您的.gitlab-ci.yml文件中
dependency:
stage: dependency
tags:
- maven
script:
- export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
- docker run --rm
--env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
--volume "$PWD:/code"
--volume /etc/localtime:/etc/localtime:ro
--volume /var/run/docker.sock:/var/run/docker.sock
"registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
artifacts:
reports:
dependency_scanning: gl-dependency-scanning-report.json
三、動態應用程序安全性測試(DAST)
將以下內容添加到您的.gitlab-ci.yml文件中
include:
- template: DAST.gitlab-ci.yml
variables:
DAST_WEBSITE: https://example.com #訪問地址需要修改爲系統可訪問的url
DAST_USERNAME: admin #系統登陸用戶名
DAST_PASSWORD: ****** #系統登陸密碼
四、容器掃描
將以下內容添加到您的.gitlab-ci.yml文件中
include:
- template: Container-Scanning.gitlab-ci.yml
五、許可證合規
將以下內容添加到您的.gitlab-ci.yml文件中
include:
- template: License-Scanning.gitlab-ci.yml
六、合併的.gitlab-ci.yml
stages:
- build
- test
- deploy
- sast
- dependency
sast:
stage: sast
tags:
- maven
script:
- export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
- docker run --rm
--env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
--volume "$PWD":/code
--volume /etc/localtime:/etc/localtime:ro
--volume /var/run/docker.sock:/var/run/docker.sock
"registry.gitlab.com/gitlab-org/security-products/sast:${SP_VERSION}" /app/bin/run /code
artifacts:
reports:
sast: gl-sast-report.json
dependency:
stage: dependency
tags:
- maven
script:
- export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
- docker run --rm
--env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
--volume "$PWD:/code"
--volume /etc/localtime:/etc/localtime:ro
--volume /var/run/docker.sock:/var/run/docker.sock
"registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
artifacts:
reports:
dependency_scanning: gl-dependency-scanning-report.json
include:
- template: License-Scanning.gitlab-ci.yml
- template: Container-Scanning.gitlab-ci.yml
- template: DAST.gitlab-ci.yml
variables:
DAST_WEBSITE: https://example.com #訪問地址需要修改爲系統可訪問的url
DAST_USERNAME: admin #系統登陸用戶名
DAST_PASSWORD: ****** #系統登陸密碼
說明:
靜態應用程序安全測試(SAST) 、依賴項掃描 中使用的 runner 註冊時Runner executor 要選擇 shell
動態應用程序安全性測試(DAST) 、容器掃描、許可證合規 中使用的 runner 註冊時Runner executor 要選擇 docker
參考文檔:
官網文檔:https://docs.gitlab.com/ee/user/application_security/security_dashboard/#gitlab-security-dashboard-ultimate
其他文檔:https://www.linuxea.com/1832.html
Runner executor:https://docs.gitlab.com/runner/executors/README.html