This article shows you how to create a stage within a GitLab pipeline which acts as a security gate, based on results issued by Contrast.
Here is a classic example of the stage you may want to use:
BUILD_NUMBER: $CI_COMMIT_SHORT_SHA #remove if no tests in pipeline
- /usr/bin/env python3 /verify.py
You will need to setup the variables in the CI/CD configuration within GitLab. To do this, go to settings > CI/CD > expand variables and add the following variables :
This information can be found in the User Settings tab within the Contrast UI.
SEVERITIES are variables that let you fine tune which vulnerabilities will trigger the stage failing.
FAIL_THRESHOLD is the minimum number of vulnerabilities allowed before blocking,
SEVERITIES is the severities of vulnerabilities to look for.
BUILD_NUMBER is automatically set by GitLab and will let you filter the results to only check vulnerabilities detected during automated tests done during this pipeline execution. Be careful to also set this build number on your agent configuration.
allow_failure: true lets you define whether to break the build if the thresholds set are exceeded.
With this option set to
true, the step will be marked as a warning but the pipeline will continue.
A full pipeline example can be found at: https://gitlab.com/svevia/contrast-securitygate