This repository contains a basic template implementing Application Security pipeline on GitLab.
Add the following lines of code in your existing DevOps pipeline configuration .gitlab-ci.yml at project root.
appsec-pipeline:
stage: devsecops
variables:
DAST_TEST_URL: "http://abc.xyz.com"
only:
- merge_requests
trigger:
strategy: depend
forward:
pipeline_variables: true
yaml_variables: true
include:
- project: infra/appsec-pipeline
ref: main
file: /security.ymlMake sure to add the devsecops stage along side with others
stages:
- build_abc
- deploy_xzy
- test_123
...
- devsecopsYou can also enable or disable scans using variables
variables:
DAST_TEST_URL: "http://abc.xyz.com"
APPSEC_PIPELINE_SAST: "false"
APPSEC_PIPELINE_DAST: "true"Create new branch on your project, do some work there. After finishing open the merge request it will run the AppSec pipeline. If you are using containers in your project make sure that your build stages push the images to GitLab's container registry for scanning. You can also do that by mofiying this template to include a container build stage tag it like :devsecops-build
The template for Nuclei scan can be copied at the root of the project directory. By default it is for Owasp Juice Shop project for scanning SQLInjection at login page to perform auth bypass for admin user.
Reports can be downloaded from uploaded artifacts.
That's it. This is simple straight forward modular AppSec pipeline template for GitLab which can be expanded into many ways to suit your orgainzation's or project needs.