GitLab Security Essentials - Hands-On Lab: Dependency and IaC Scanning

This Hands-On Guide walks you through the process of using dependency scans and IaC scans on your code

Estimated time to complete: 15 minutes

Task A. Add dependencies and IaC

Our initial project has been built and we want to start on the deployment process. There are two areas we want to configure for our project. The first area is dependencies for our application. The second area is infrastructure for our application deployment. Let’s set these up in our project. To add dependencies to your Python project, complete the following steps.

  1. Navigate to your project.

  2. Open the requirements.txt file and observe the dependencies in it.

    #
# This file is autogenerated by pip-compile with Python 3.12
# by the following command:
#
#    pip-compile --output-file=requirements.txt requirements.in
#
requests==2.27.1

    Note that for pip, you are required to provide the pip-compile header.

For Infrastructure as Code, you will start by deploying an S3 bucket to your environment. To do this, you can set up Terraform files with infrastructure definitions. To do this:

  1. Navigate to your project.

  2. Select + > New file.

  3. In the Filename, enter s3.tf.

  4. Add the following contents to the file:

    resource "aws_s3_bucket_public_access_block" "publicaccess" {
    bucket = aws_s3_bucket_demobucket.id
    block_public_acls = false
    block_public_policy = false
}

  5. Select Commit changes.

This project will also use Docker for deployments. To enable this, we will create a Dockerfile.

  1. Navigate to your project.

  2. Select + > New file.

  3. In the Filename, enter Dockerfile.

  4. Add the following contents to the file:

    FROM python:3.4-alpine
ADD main.py .

  5. Select Commit changes.

Task B. Add dependency scanning

Now that you have dependencies added to your project, you want to ensure that the dependencies do not contain any security vulnerabilities. To validate this, you can add Dependency Scanning to your project.

  1. Open your .gitlab-ci.yml file.

  2. Select Edit > Edit in pipeline editor.

  3. Add the following line to your include block:

      - component: ilt.gitlabtraining.cloud/components/dependency-scanning/main@main

  4. Select Commit changes.

To view the progress of your new pipeline:

  1. In the left sidebar, select Build > Pipelines.

  2. Select your most recent pipeline. You should now see a job titled dependency-scanning.

Once this pipeline completes, you will be able to view the results of the security scan:

  1. In the left sidebar, select Secure > Vulnerability report.

  2. In the Vulnerability report, filter for the Dependency Scanning tool by clicking on the search bar, clicking Tool and then clicking GitLab SBoM Vulnerability Scanner.

  3. Click on each vulnerability to review the findings.

In the results, you will see various vulnerabilities in our version of the requests library. Let’s fix these issues in our requirements.txt file.

  1. When you select a vulnerability in the report, you will see a target version number to fix each issue. The first vulnerability recommends an upgrade to version 2.32.0 or above, the second vulnerability recommends an upgrade to version 2.31.0 or above.

  2. From this, we can determine that 2.32.0 will fix all our vulnerabilities. To set this version, edit your existing requirements.txt file. Update the requests import to:

    #
# This file is autogenerated by pip-compile with Python 3.12
# by the following command:
#
#    pip-compile --output-file=requirements.txt requirements.in
#
requests==2.32.0

  3. Commit these changes and verify that the vulnerability is no longer detected.

In addition to scanning for vulnerabilities, dependency scanning also provides a list of dependencies for your project. To view this:

  1. In the left sidebar, select Secure > Dependency list.

  2. Review the components and versions listed. Note that the license for each dependency is also listed here.

Task C. Add IaC scanning

To add infrastructure as code scanning to your project:

  1. Open your .gitlab-ci.yml file.

  2. Select Edit > Edit in pipeline editor.

  3. In the include section, add the following template:

  - template: Jobs/SAST-IaC.gitlab-ci.yml

  1. Select Commit changes.

  2. Observe the resulting pipeline and note that there is now a kics-iac-sast job.

  3. Wait for the pipeline to complete.

  4. Navigate to Secure > Vulnerability Reports.

  5. Review the results of your IaC scan. These results will be labeled as the SAST tool. Some examples include Missing User Instructions and S3 bucket allows public policy.

Lab Guide Complete

You have completed this lab exercise. You can view the other lab guides for this course.

Suggestions?

If you’d like to suggest changes to the GitLab Security Essentials Hands-On Guide, please submit them via merge request.

Last modified May 1, 2025: Updating ILT Labs for Security Essentials (4959f353)
View page source - Edit this page - please contribute. Creative Commons License