GitLab Security Essentials - Hands-On Lab: Dependency and IaC Scanning

Estimated time to complete: 15 minutes

Task A. Add Dependencies and IaC

Our initial project has been built and we want to start on the deployment process. There are two areas we want to configure for our project. The first area is dependencies for our application. The second area is infrastructure for our application deployment. Let’s set these up in our project. To add dependencies to your Python project, complete the following steps.

1. Navigate to your Security Labs project.

2. Open the requirements.txt file and observe the dependencies in it.

       #
       # This file is autogenerated by pip-compile with Python 3.12
       # by the following command:
       #
       #    pip-compile --output-file=requirements.txt requirements.in
       #
       requests==2.27.1
       pyopenssl
       httplib2
       flask
       flask-restful
       twisted
       service_identity
       flask-cors
       flask-httpauth
       pytz
   

   Note that for pip, you are required to provide the pip-compile header.

   For Infrastructure as Code, you will start by deploying an S3 bucket to your environment. To do this, you can set up Terraform files with infrastructure definitions. To do this:

3. Navigate to your project.

4. Select + > New file.

5. In the Filename, enter s3.tf.

6. Add the following contents to the file:

   resource "aws_s3_bucket_public_access_block" "publicaccess" {
       bucket = aws_s3_bucket_demobucket.id
       block_public_acls = false
       block_public_policy = false
   }
   

7. Select Commit changes, and keep the Commit to the current main branch selected. Select Commit changes.

Task B. Add dependency scanning

Now that you have dependencies added to your project, you want to ensure that the dependencies do not contain any security vulnerabilities. To validate this, you can add Dependency Scanning to your project.

1. Open your .gitlab-ci.yml file.

2. Select Edit > Edit in pipeline editor.

3. Add the following line to your include block:

     - component: ilt.gitlabtraining.cloud/components/dependency-scanning/main@main
   

4. Write an appropriate commit message (ex. “Added Dependency scanning to pipeline”), ensure that you are committing to the main branch, and select Commit changes.

   To view the progress of your new pipeline:

5. In the left sidebar, select Build > Pipelines.

6. Select your most recent pipeline. You should now see a job titled dependency-scanning. Once this pipeline completes, you will be able to view the results of the security scan:

7. In the left sidebar, select Secure > Vulnerability report.

8. In the Vulnerability report, filter for the Dependency Scanning tool by clicking on the search bar, clicking Report Type and then clicking Dependency Scanning.

9. Click on each vulnerability to review the findings. In the results, you will see various vulnerabilities in our version of the requests library. Let’s fix these issues in our requirements.txt file.

10. When you select a vulnerability in the report, you will see a target version number to fix each issue. The first vulnerability recommends an upgrade to version 2.32.4, the second vulnerability recommends an upgrade to version 2.32.0 or above, and the third vulnerability recommends an upgrade to version 2.31.0 or above. From this, we can determine that 2.32.4 will fix all our vulnerabilities. To set this version, edit your existing requirements.txt file. Update the requests import to:

    #
    # This file is autogenerated by pip-compile with Python 3.12
    # by the following command:
    #
    #    pip-compile --output-file=requirements.txt requirements.in
    #
    requests==2.32.4
    ...
    

11. Commit these changes and verify that the vulnerability is no longer detected.

12. In addition to scanning for vulnerabilities, dependency scanning also provides a list of dependencies for your project. To view this, in the left sidebar, select Secure > Dependency list.

13. Review the components and versions listed. Note that the license for each dependency is also listed here.

Task C. Add IaC scanning

To add infrastructure as code scanning to your project:

1. Open your .gitlab-ci.yml file.

2. Select Edit > Edit in pipeline editor.

3. In the include section, add the following component:

       - component: ilt.gitlabtraining.cloud/components/sast/iac-sast@main
   

4. Select Commit changes.

5. Observe the resulting pipeline and note that there is now a kics-iac-sast job.

6. Wait for the pipeline to complete.

7. Navigate to Secure > Vulnerability Reports.

8. Review the results of your IaC scan. We can filter by selecting the Scanner dropdown in the Search or filter vulnerabilities… bar and selecting kics. These results will be labeled as the SAST report type.

Lab Guide Complete

You have completed this lab exercise. You can view the other lab guides for this course.

Suggestions?

If you wish to make a change to the lab, please submit your changes via Merge Request.

View page source - Edit this page - please contribute.