GitLab Security Essentials - Hands-On Lab: Enable and Scan Using a Scan Execution Policy

This Hands-On Guide walks you through enabling and using a Scan Execution Policy in a GitLab project.

Estimated time to complete: 15 minutes

Objectives

Compliance scans allow you to control merge requests and security scans in your instances, groups, and projects. This lab will demonstrate how to enable security and merge request policies at a group level.

Task A. Setting up a Security Policy

  1. Navigate to your group.

  2. In the left sidebar, select Secure > Policies.

  3. Select New policy.

  4. Under Security execution policy, select Select policy.

  5. For the Name, enter Group security policy.

  6. Ensure the Policy status is set to Enabled.

  7. For Policy Scope, apply to all projects in this group without exceptions.

  8. Under Actions, set the scan to run a SAST scan. Ensure that Runner Tags is set to selected automatically and Security job template is set to default.

  9. Under Conditions, select Triggers. Have the policy run for all branches with No exceptions.

  10. Select Configure with a merge request.

  11. Select Merge to complete your configuration.

Task B. Security Policy Scans in Action

  1. Navigate to your group.

  2. Select New project.

  3. Select Create blank project.

  4. In the Project name field input Security Compliance Testing.

  5. Leave all other options as default and select Create project.

  6. In the project repository, select + > New file.

  7. In the Filename, input main.py.

  8. Add the following code to the file:

    print("Testing scanners!")

  9. Select Commit changes.

  10. In the left sidebar, select Build > Pipelines.

  11. Select the pipeline that was created from your commit.

  12. Review the jobs in the pipeline. Notice how a SAST scan is run on this commit even though no .gitlab-ci.yml configuraiton exists.

Now, the projects in your group will always have security scans, even if they aren’t defined in the .gitlab-ci.yml file yet.

Task C. Merge Request Policies

With security scans in place, it would be ideal to be able to block merge requests that contain security vulnerabilities. In this section, you will create a merge request policy to achieve this goal.

  1. Navigate to your group.

  2. In the left sidebar, select Secure > Policies.

  3. Select New policy.

  4. Under Merge request approval policy, select Select policy.

  5. In Name, enter the value Merge Request Security.

  6. Under Policy status, ensure Enabled is selected.

  7. For Policy Scope, apply the policy to all projects in this group, without exceptions.

  8. Under Rules, set the scan type to Security Scan.

  9. For the scanner, select All scanners.

  10. Run the scan against all default branches.

  11. Specify that the scan has No exceptions and finds Any vulnerabilites.

  12. Set the severity level to All severity levels.

  13. Set the status to New and All vulnerability states.

  14. Under Actions, require 1 approval from the Owner role.

  15. In Override project approval settings, make sure to uncheck the option Prevent approval by merge request’s author and Prevent approval by commit author.

    We are only setting these options to off because we have one account in our group. For production environments, this is often toggled on.

  16. Leave all other options as default and select Configure with a merge request.

  17. Select Merge.

Task D. Merge Request Policies in Action

  1. Return to your group.

  2. Select your Security Compliance Testing project.

  3. In the left sidebar, select Code > Branches.

  4. Select New branch.

  5. Name the branch test_policy, then select Create branch.

  6. Select Create merge request.

  7. Uncheck Mark as draft, then select Create merge request.

  8. Select Code > Open in Web IDE.

  9. Open your main.py file and add the following code to it:

    
in = input("Enter your server ip: ")
subprocess.run(["ping", in])

print("Attempting to connect to the server")
print("Application authentication was successful")

  10. Select the branch icon, then select Commit and push to 'test_branch'.

  11. Return to your MR.

  12. Allow you pipeline to complete. Once it completes, take note of the comment stating This merge request has policy violations and errors.

  13. To resolve these issues, select Code > Open in Web IDE.

  14. Open your main.py file and edit your main.py code to the following:

    print("Attempting to connect to the server")
print("Application authentication was successful")

  15. Select the branch icon, then select Commit and push to 'test_branch'.

  16. Return to your MR.

  17. Allow your pipeline to complete. Once complete, take note of the comment stating Security policy violations have been resolved.

Last modified December 6, 2024: Merge branch 'compliance-security-labs' into 'main' (7798508a)
View page source - Edit this page - please contribute. Creative Commons License