Skip to content

Implementing FEA405 - Automated Security Testing Pipeline
Document Implementing FEA405 - Automated Security Testing Pipeline
Author: Noora Kuikka
Version: 1.0
Date: 25.03.2024

Description

This feature implements an automated security testing CI/CD pipeline to the frontend and backend repositories. Once the pipeline has been successfully set up: Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), dependency and container scanning will be enabled.

Preparation

Installing Docker on the servers

If Docker has not already been set up on the server, we should first ensure that the latest version has been installed with:

```
sudo apt-get update

sudo apt-get install ca-certificates curl

sudo install -m 0755 -d /etc/apt/keyrings

sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc

sudo chmod a+r /etc/apt/keyrings/docker.asc

echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \

sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt-get update

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

```

See the official docker documentation for more details.

Setting up a Gitlab runner on the servers

In order to run SAST, we will first need to set up a Gitlab runner with a docker-in-docker executor.

  1. In Gitlab we go to Settings -> CI/CD -> Runners and click "New project runner".
  2. We choose the platform (Linux) and give the runner a name (SAST runner).

  3. In the server, we run the command: 

    curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash
    To fetch the latest gitlab runner repository.

  4. We then install the runner using sudo apt-get install gitlab-runner

Install Gitlab runner

  1. We now need to register the runner. Using the runner authentication token provided by Gitlab during the runner creation, we can run the command: 
    gitlab-runner register --url https://gitlab.labranet.jamk.fi --token insert-token-here
    Register runner in Gitlab

Register runner in server

  1. We can now start the runner and check its status with: gitlab-runner run and sudo systemctl status gitlab-runner
  2. If everything has gone well, the runner should now be visible and running in Gitlab:

Runner is running

  1. The same runner can be used for the backend repository, or a new runner can be created, depending on user needs and preferences.

Implementation

Now that the Gitlab runner has been set up, we can begin implementing the security CI/CD pipeline. As a test, we will set up Static Application Security Testing (SAST) first.

If we go to the Gitlab security dashboard, we can see that SAST is currently not enabled:

SAST not yet enabled

In order to enable SAST, we need to create and configure a .gitlab-ci.yml file in the repository root directory.

Use the CI/CD template for SAST or add the following lines to the file:

include:
  template: SAST.gitlab-ci.yml

This will create a SAST job in the CI/CD pipeline that will scan the project source code for potential vulnerabilities. Each automated scan that we implement will be included in this file.

Below is an example of our .gitlab-ci.yml file which currently has SAST, dependency scanning and DAST enabled:

Gitlab yml file example

Save the file and let the pipeline run, if successful it should look something like this:

Pipeline successful

Now the scan should run automatically every time Gitlab detects changes to the repository.

By checking the Gitlab security configuration page again, we can now see that SAST is enabled:

SAST now enabled

The individual scan results can be downloaded as a JSON file or they can be viewed directly from Gitlab under Secure -> Vulnerability report.

As an example, our initial scans of the Tukko frontend repository found the following dependency issues:

Dependency issues in frontend repo

And on the backend:

Dependency issues in backend repo

Note that in order to get the results from the backend repository, the above steps need to be repeated within that repository as well.

Sources

Source Description
Static Application Security Testing (SAST) GitLab documentation on static application security testing.
SAST Analyzers GitLab documentation on available SAST analyzers.
GitLab Runner GitLab documentation on GitLab Runner.
Docker Engine Installation Guide (Ubuntu) Docker documentation for installing Docker Engine on Ubuntu.
GitLab Hands-On GitLab Hands-On training resources.