GitLab Security Essentials - Hands-On Lab: Addressing Vulnerabilities

This Hands-On Guide walks you through how to triage and respond vulnerabilities in your application

Estimated time to complete: 15 minutes

In the last lab, you introduced the SAST and Secret Detection scanners into your project. In this lab, we will explore methods to triage and resolve vulnerabilities.

Task A. Vulnerability Triage Process

  1. Navigate to your Security Labs project.

  2. In the left sidebar, select Secure > Vulnerability Report.

To start your triage process, it is recommended to sort your vulnerabilities by severity, focusing on vulnerabilities that have not yet been triaged.

  1. In the security report, select Severity to change the sort order. Ensure that the arrow is pointing down so that severity is sorted from highest to lowest.

  2. Select the top severity vulnerability, GitLab Personal Access Token.

  3. Review the vulnerability. You will see that the finding is valid, containing a GitLab API token.

  4. In the top right corner, set Status to Confirmed.

  5. Select Create issue.

  6. You will see that the issue automatically populates the vulnerability title and details. Review the issue details, then select Create issue.

  7. Return to Secure > Vulnerability Report.

  8. Select the next vulnerability: Improper neutralization of special elements used in a SQL command.

  9. Select the Code flow tab.

  10. Review the code flow to see how the vulnerability occurs. Set the Status to Confirmed.

  11. Select the Details tab.

  12. Select Create issue.

  13. Review the issue and select Create issue.

At this point, we’ve created two issues to address as security issues in our application. Let’s review the process for fixing these vulnerabilities.

Task B. Fixing Vulnerabilities

  1. Navigate to Plan > Issues.

  2. Select the issue titled GitLab Personal Access Token.

  3. Select the code location: main.py:5.

  4. Select Edit > Open in Web IDE.

  5. Select the main.py file.

  6. Delete the line of code:

    app.config['SECRET_KEY'] = 'glpat-Li5iWgSuUmDXNShPsozE'

    In a real scenario, you will also need to rotate this key. Deleting the line of code only removes it from the current code, but the secret may still be contained in the Git history and should be considered compromised.

  7. In the left sidebar, select the Source Control icon.

  8. Click Create a new branch and commit.

  9. Press Enter to take the default branch name.

  10. Select Create MR in the bottom right of the screen.

  11. Select Create merge request.

  12. Wait for the pipeline in the merge request to complete. Refresh the page once completed to view the Security Report.

  13. Review the findings. You should no longer see the GitLab Personal Token issue in the security list.

  14. Select Merge to merge the security updates.

  15. Try out solving the SQL injection vulnerability on your own!

Lab Guide Complete

You have completed this lab exercise. You can view the other lab guides for this course.

Suggestions?

If you’d like to suggest changes to the GitLab Security Essentials Hands-On Guide, please submit them via merge request.

Last modified May 1, 2025: Updating ILT Labs for Security Essentials (4959f353)
View page source - Edit this page - please contribute. Creative Commons License