Implementing FEA405 - Automated Security Testing Pipeline
Document | Implementing FEA405 - Automated Security Testing Pipeline |
Author: | Noora Kuikka |
Version: | 1.0 |
Date: | 25.03.2024 |
Description
This feature implements an automated security testing CI/CD pipeline to the frontend and backend repositories. Once the pipeline has been successfully set up: Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), dependency and container scanning will be enabled.
Preparation
Installing Docker on the servers
If Docker has not already been set up on the server, we should first ensure that the latest version has been installed with:
```
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
```
See the official docker documentation for more details.
Setting up a Gitlab runner on the servers
In order to run SAST, we will first need to set up a Gitlab runner with a docker-in-docker executor.
- In Gitlab we go to Settings -> CI/CD -> Runners and click "New project runner".
- We choose the platform (Linux) and give the runner a name (SAST runner).
-
In the server, we run the command:
To fetch the latest gitlab runner repository.curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash
-
We then install the runner using sudo apt-get install gitlab-runner
- We now need to register the runner. Using the runner authentication token provided by Gitlab during the runner creation, we can run the command:
gitlab-runner register --url https://gitlab.labranet.jamk.fi --token insert-token-here
- We can now start the runner and check its status with: gitlab-runner run and sudo systemctl status gitlab-runner
- If everything has gone well, the runner should now be visible and running in Gitlab:
- The same runner can be used for the backend repository, or a new runner can be created, depending on user needs and preferences.
Implementation
Now that the Gitlab runner has been set up, we can begin implementing the security CI/CD pipeline. As a test, we will set up Static Application Security Testing (SAST) first.
If we go to the Gitlab security dashboard, we can see that SAST is currently not enabled:
In order to enable SAST, we need to create and configure a .gitlab-ci.yml file in the repository root directory.
Use the CI/CD template for SAST or add the following lines to the file:
include:
template: SAST.gitlab-ci.yml
This will create a SAST job in the CI/CD pipeline that will scan the project source code for potential vulnerabilities. Each automated scan that we implement will be included in this file.
Below is an example of our .gitlab-ci.yml file which currently has SAST, dependency scanning and DAST enabled:
Save the file and let the pipeline run, if successful it should look something like this:
Now the scan should run automatically every time Gitlab detects changes to the repository.
By checking the Gitlab security configuration page again, we can now see that SAST is enabled:
The individual scan results can be downloaded as a JSON file or they can be viewed directly from Gitlab under Secure -> Vulnerability report.
As an example, our initial scans of the Tukko frontend repository found the following dependency issues:
And on the backend:
Note that in order to get the results from the backend repository, the above steps need to be repeated within that repository as well.
Sources
Source | Description |
---|---|
Static Application Security Testing (SAST) | GitLab documentation on static application security testing. |
SAST Analyzers | GitLab documentation on available SAST analyzers. |
GitLab Runner | GitLab documentation on GitLab Runner. |
Docker Engine Installation Guide (Ubuntu) | Docker documentation for installing Docker Engine on Ubuntu. |
GitLab Hands-On | GitLab Hands-On training resources. |