GitLab Duo Principles - Hands-On Lab: Working with Security Vulnerabilities

This Hands-On Guide walks you through using GitLab Duo to explain security vulnerabilities.

Estimated time to complete: 15 minutes

Objectives

In this lab, you will see how GitLab Duo can help with explaining and resolving security vulnerabilities.

Task A. Explaining a Security Vulnerability

  1. Navigate to your GitLab Duo Principles Project.

  2. Select the .gitlab-ci.yml file.

  3. Select Edit > Edit in pipeline editor.

  4. Remove all previous YAML and add the following code. Your .gitlab-ci.yml should look as follows:

    stages:
  - test

include:
  - template: Security/SAST.gitlab-ci.yml

  5. Input any Commit message, set the target branch to main, then select Commit changes.

  6. In the left sidebar, select Code > Repository.

  7. Select main.go.

  8. Select Edit > Edit single file.

  9. Replace all of your code with the following code:

    package main

import (
  "net/http"
  "fmt"
)

func randomGitlab(w http.ResponseWriter, r *http.Request) {
  words := []string{"git", "lab", "repo", "commit", "branch"}
  word := words[rand.Intn(len(words))]

  fmt.Fprintf(w, word)
}

func main() {
  http.HandleFunc("/random", randomGitlab)
  http.ListenAndServe(":8080", nil)
}

  10. Input any Commit message, set the target branch to main, then select Commit changes.

  11. In the left sidebar, select Build > Pipelines and wait for your pipeline to complete.

  12. Once the pipeline completes, in the left sidebar navigate to Secure > Vulnerability Report.

    You will see a single vulnerability, Slowloris displayed in your report.

  13. Select the vulnerability “Uncontrolled resource consumption…”.

    This will navigate you to the vulnerability overview page.

  14. At the top right of vulnerability overview, select the Explain or Resolve with AI dropdown.

  15. Select Explain with AI.

  16. Review the response generated by GitLab Duo to understand the vulnerability.

Task B. Resolve the Vulnerability (Optional)

  1. Adapt the suggestion from Duo chat to our main.go file.

  2. It should look something like the following:

    package main

import (
  "net/http"
  "fmt"
  "math/rand"
  "time"
)

func randomGitlab(w http.ResponseWriter, r *http.Request) {
  words := []string{"git", "lab", "repo", "commit", "branch"}
  word := words[rand.Intn(len(words))]

  fmt.Fprintf(w, word)
}


func main() {

    http.HandleFunc("/random", randomGitlab)
    // Create a new HTTP server with timeout configurations
    server := &http.Server{
        Addr:           ":8080",
        ReadTimeout:    10 * time.Second,
        WriteTimeout:   10 * time.Second,
        MaxHeaderBytes: 1 << 20, // 1 MB
    }

    // Start the server
    server.ListenAndServe()

}

  3. Run the pipeline again to check for the resolved vulnerability.

Lab Guide Complete

You have completed this lab exercise. You can view the other lab guides for this course.

Suggestions?

If you’d like to suggest changes to the lab, please submit them via merge request.

Last modified August 26, 2024: Updated GitLab Duo Class Lab Titles (1eaf19da)
View page source - Edit this page - please contribute. Creative Commons License