gitlab-ee版本安全與合規配置

一、靜態應用程序安全測試(SAST)

將以下內容添加到您的.gitlab-ci.yml文件中

sast:
  stage: sast
  tags:
    - maven
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run --rm
        --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
        --volume "$PWD":/code  
        --volume /etc/localtime:/etc/localtime:ro
        --volume /var/run/docker.sock:/var/run/docker.sock  
        "registry.gitlab.com/gitlab-org/security-products/sast:${SP_VERSION}" /app/bin/run /code
  artifacts:
    reports:
      sast: gl-sast-report.json

二、依賴項掃描

將以下內容添加到您的.gitlab-ci.yml文件中

dependency:
  stage: dependency
  tags:
    - maven
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run --rm
        --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
        --volume "$PWD:/code"
        --volume /etc/localtime:/etc/localtime:ro
        --volume /var/run/docker.sock:/var/run/docker.sock
        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
  artifacts:
    reports:
      dependency_scanning: gl-dependency-scanning-report.json

三、動態應用程序安全性測試(DAST)

將以下內容添加到您的.gitlab-ci.yml文件中

include:
  - template: DAST.gitlab-ci.yml
 
variables:
  DAST_WEBSITE: https://example.com    #訪問地址需要修改爲系統可訪問的url
  DAST_USERNAME: admin                 #系統登陸用戶名
  DAST_PASSWORD: ******                #系統登陸密碼

四、容器掃描

將以下內容添加到您的.gitlab-ci.yml文件中

include:
  - template: Container-Scanning.gitlab-ci.yml

五、許可證合規

將以下內容添加到您的.gitlab-ci.yml文件中

include:
  - template: License-Scanning.gitlab-ci.yml

六、合併的.gitlab-ci.yml

stages: 
  - build
  - test
  - deploy
  - sast
  - dependency
sast:
  stage: sast
  tags:
    - maven
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run --rm
        --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
        --volume "$PWD":/code  
        --volume /etc/localtime:/etc/localtime:ro
        --volume /var/run/docker.sock:/var/run/docker.sock  
        "registry.gitlab.com/gitlab-org/security-products/sast:${SP_VERSION}" /app/bin/run /code
  artifacts:
    reports:
      sast: gl-sast-report.json
dependency:
  stage: dependency
  tags:
    - maven
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run --rm
        --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
        --volume "$PWD:/code"
        --volume /etc/localtime:/etc/localtime:ro
        --volume /var/run/docker.sock:/var/run/docker.sock
        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
  artifacts:
    reports:
      dependency_scanning: gl-dependency-scanning-report.json
       
include:
  - template: License-Scanning.gitlab-ci.yml
  - template: Container-Scanning.gitlab-ci.yml
  - template: DAST.gitlab-ci.yml
 
variables:
  DAST_WEBSITE: https://example.com    #訪問地址需要修改爲系統可訪問的url
  DAST_USERNAME: admin                 #系統登陸用戶名
  DAST_PASSWORD: ******                #系統登陸密碼

說明：

靜態應用程序安全測試(SAST) 、依賴項掃描 中使用的 runner 註冊時Runner executor 要選擇 shell

動態應用程序安全性測試(DAST) 、容器掃描、許可證合規 中使用的 runner 註冊時Runner executor 要選擇 docker

參考文檔：

官網文檔：https://docs.gitlab.com/ee/user/application_security/security_dashboard/#gitlab-security-dashboard-ultimate

其他文檔：https://www.linuxea.com/1832.html
Runner executor:https://docs.gitlab.com/runner/executors/README.html