Open in app

Sign in

Write

Sign in

DevSecOps with Gitlab | Part - 2 | Implementing Pipeline

Madhavan M
3 min readJan 1, 2021

Continuing with DevSecOps implementation, in this post, we will create the pipeline for a sample PHP application, please read part-1 to get familiar with creating the pipeline.

First step will be to plan what are all the tools/jobs that we are going to implement for this application. For this sample PHP application we will include the following in our pipeline:

Software component Analysis
SAST(Static Application Security Testing)
DAST(Dynamic Application Security Testing)
IAST (Interactive Application Security Testing)
Compliance as code(If required)
Infra as code(if required)
vulnerability management

By end of this blog post, ill cover the implementation of most of the mentioned types with GitLab.

Read more about SAST /DAST in my other blog here

In this blog, I am going to concentrate on 2 things SAST and SCA /Secret Scanning. Thus I am going to show you how to create a pipeline for a simple PHP application.

To run a simple SAST on a PHP application, there are plenty of tools available to do this in different levels both paid and free of cost is there.

I am going to use one of the famous SAST tools for PHP which I found in GitHub, Graudit , and for secret-scanning, we are using trufflehog.

Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep and graudit comes with its own DB of keywords for searching the vulnerabilities for various languages including PHP, ASP,Python, etc,.

So the pipeline is going to look like below

I include a build stage just to exemplify some developer actions

So the pipeline code for the SAST (graudit) will be like below.

graudit: 
  tags: 
    - your_tag       
  stage: SAST   
  script:
    - graudit -d /your/path/graudit/signatures/php.db ./

Trufllehog Searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.

trufflehog: 
  tags: 
    - your_tag        
  stage: secret-scanning   
  script:
    - trufflehog . --json | tee secert.json

Trufllehog command will both print and save the output in JSON format and on the other hand, we are just printing out the output in the console.

So, till now the gitlab-ci.yml file should contain the following

stages:   
 - build  # this is build stage
 - secret-scanning # SCA stage
 - SAST    # this is test stage

build:
  tags: 
    - your_tag  
  stage: build   
  script:
    - echo "build stage goes here"



trufflehog: 
  tags: 
    - your_tag       
  stage: secret-scanning   
  script:
    - trufflehog . --json | tee secert.json  



graudit: 
  tags: 
    - threatmeter        
  stage: SAST   
  script:
    - graudit -d /your/path/graudit/signatures/php.db ./

Once you commit gitlab-ci.yml file following will be the output which can be seen in Gitlab Jobs

You can always play with the settings of the individual tools to perform specific tasks as required.

In this post, we saw incorporating SAST and Secret scanning tools in a GitLab pipeline. In the Part-3 we will develop this pipeline further with more tools

Comment down your thoughts,

Thanks for reading.

Devsecops
Gitlab Ci
Pipeline

--

--

Madhavan M

Written by Madhavan M

4 Followers

i4mmaddy

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams