GitLab with Git Fundamentals - Hands-On Lab: Static Application Security Testing (SAST)
Estimated time to complete: 30 minutes
Objectives
This lab uses SAST, an optional feature in CI/CD pipelines, to identify security vulnerabilities in your code. GitLab’s Vulnerability Report then shows any old or new vulnerabilities found with each pipeline run. You can learn more in the documentation.
Task A. Enable SAST in your CI Test
project
-
Navigate to your CI Test project.
-
Click on the
.gitlab-ci.yml
file and click Edit > Edit single file. -
Copy the following lines at the bottom of your
gitlab-ci.yml
file:include: - template: Jobs/SAST.gitlab-ci.yml
To learn more about integrating
SAST
scanning into your.gitlab-ci.yml
file, see the documentation. -
The current
.gitlab-ci.yml
file should look like this:stages: - build - test build1: stage: build script: - echo "Do your build here" test1: stage: test script: - echo "Do a test here" - echo "For example run a test suite" include: - template: Jobs/SAST.gitlab-ci.yml
The include lets you include external YAML files in your CI/CD configuration. You can split one long
.gitlab-ci.yml
file into multiple files to increase readability, or reduce duplication of the same configuration in multiple places. You can read more about the include keyword in the documentation. -
Enter an appropriate Commit message.
-
Set the Target Branch to
main
. -
Click the Commit changes button.
Task B. Add run.py
and review SAST scanning results
In this task, you’ll add a file with known vulnerabilities and see if SAST detects it.
-
Return to the Project overview page by clicking on the name of your project in the breadcrumbs section.
-
At the top of the project landing page, to the right of the branch dropdown, click (+) > This directory > New file.
-
For the File name field, type in
run.py
. -
Copy the content below into the file:
import subprocess in = input("Enter your server ip: ") subprocess.run(["ping", in]) print("Attempting to connect to the server") print("Application authentication was successful")
-
Add an appropriate Commit message.
-
Set the Target Branch to
main
. -
Click the Commit changes button.
-
In the left-hand navigation pane, click Build> Pipelines.
-
At the top of the row of the table of pipelines, click on the running (if it is still running) or passed (if the pipeline has been completed) status labels.
The SAST scan may take a few moments, so feel free to grab a cup of coffee while you wait.
-
When the pipeline finishes, in the left navigation pane, click on Secure > Vulnerability report.
-
Click any of the vulnerabilities and read about a potential security problem detected by SAST scanning in
run.py
. -
Feel free to edit the code to fix the issue raised (such as removing the
subprocess.run
command), and commit the changes. Does the vulnerability report still note the issue as present?
Lab Guide Complete
You have completed this lab exercise. You can view the other lab guides for this course.
Suggestions?
If you’d like to suggest changes to the lab, please submit them via merge request.
c3926308
)