Objective
This article shows you how to create a stage within a GitLab pipeline which acts as a security gate, based on results issued by Contrast.
Process
Here is a classic example of the stage you may want to use:
securityGate:
image: ghcr.io/contrast-security-oss/integration-verify:latest
stage: security_gate
variables:
API_KEY: $API_KEY
ORG_ID: $ORG_ID
API_URL: $URL
AUTH_HEADER: $AUTH
APP_NAME: $CI_PROJECT_NAME
BUILD_NUMBER: $CI_COMMIT_SHORT_SHA #remove if no tests in pipeline
FAIL_THRESHOLD: 0
SEVERITIES: CRITICAL,HIGH
script:
- /usr/bin/env python3 /verify.py
allow_failure: true
You will need to setup the variables in the CI/CD configuration within GitLab. To do this, go to settings > CI/CD > expand variables and add the following variables :
- API_KEY
- ORG_ID
- URL
- AUTH
This information can be found in the User Settings tab within the Contrast UI.
FAIL_THRESHOLD
and SEVERITIES
are variables that let you fine tune which vulnerabilities will trigger the stage failing.FAIL_THRESHOLD
is the minimum number of vulnerabilities allowed before blocking,SEVERITIES
is the severities of vulnerabilities to look for.
The BUILD_NUMBER
is automatically set by GitLab and will let you filter the results to only check vulnerabilities detected during automated tests done during this pipeline execution. Be careful to also set this build number on your agent configuration.
The line: allow_failure: true
lets you define whether to break the build if the thresholds set are exceeded.
With this option set to true
, the step will be marked as a warning but the pipeline will continue.
A full pipeline example can be found at: https://gitlab.com/svevia/contrast-securitygate