GitLab

Note: This a similar tutorial explored in our GitHub actions tutorial, but geared towards using GitLab CI/CD and GitLab Security Alerts.

In this tutorial, you’ll learn how to:

1. Integrate NightVision DAST scans into your CI/CD pipelines to find automatically find exploitable vulnerabilities within minutes.
2. Use NightVision’s API Extraction to scan the source code to find the attack vector in the file and down to the line of code.
3. Upload any vulnerabilities discovered with NightVision to GitLab’s vulnerability report.

Fast scans are critical in a CI/CD pipeline

You’ll notice that the scans complete in about 5-7 minutes - which is ridiculously fast compared to other DAST tools, which can take hours or days.

CI file

To run a NightVision scan from GitLab, you must set the NIGHTVISION_TOKEN environment variable in your CI/CD settings for your repository. You can do this through the UI for your repository via this documentation.

GitLab Ultimate

To aggregate NightVision alerts to your GitLab Vulnerability Report, you must push to a repository that is on a GitLab Ultimate plan. You can start a 30-day free trial of GitLab Ultimate here.

An example file is below:

stages:
  - sast_scan
  - dast_scan
  - convert_sarif_to_gitlab

variables:
  NIGHTVISION_TARGET: javaspringvulny-api-gitlab
  NIGHTVISION_AUTH: javaspringvulny-api-gitlab
  DOCKER_HOST: tcp://docker:2375/
  DOCKER_DRIVER: overlay2
  FF_NETWORK_PER_BUILD: "true"     # activate container-to-container networking

services:
  - docker:dind

sast_scan:
  stage: sast_scan
  image: ubuntu:latest
  services:
    - docker:dind
  before_script:
    - apt-get update && apt-get install -y wget python3-venv python3-docker python3-pip python3 docker-compose curl gcc musl-dev libffi-dev
    - python3 -m venv venv
    - source venv/bin/activate
    - pip3 install requests urllib3
    - wget -c https://downloads.nightvision.net/binaries/latest/nightvision_latest_linux_amd64.tar.gz -O - | tar -xz
    - mv nightvision /usr/local/bin/
  script:
    # "Extract API documentation from code"
    - nightvision swagger extract . -t ${NIGHTVISION_TARGET} --lang java || true
    - if [ ! -e openapi-spec.yml ]; then cp backup-openapi-spec.yml openapi-spec.yml; fi
  artifacts:
    paths:
      - openapi-spec.yml
    expire_in: 30 days

dast_scan:
  stage: dast_scan
  image: ubuntu:latest
  services:
    - docker:dind
  before_script:
    - apt-get update && apt-get install -y wget python3-venv python3-docker python3-pip python3 docker-compose curl gcc musl-dev libffi-dev
    - python3 -m venv venv
    - source venv/bin/activate
    - pip3 install requests urllib3
    - wget -c https://downloads.nightvision.net/binaries/latest/nightvision_latest_linux_amd64.tar.gz -O - | tar -xz
    - mv nightvision /usr/local/bin/
  script:
    # "Starting the app"
    - docker-compose up -d
    - sleep 15
    # "Scanning the API"
    - nightvision scan ${NIGHTVISION_TARGET} --auth ${NIGHTVISION_AUTH} > scan-results.txt
    - nightvision export sarif -s "$(head -n 1 scan-results.txt)" --swagger-file openapi-spec.yml
    # "Getting logs"
    - for pod in $(docker ps | grep -v 'CONTAINER ID' | grep -v IMAGE | awk '{print $1}'); do docker logs $pod >> test.pod.logs 2>&1; done
  artifacts:
    paths:
      - test.pod.logs
      - results.sarif
    expire_in: 30 days
  dependencies:
    - sast_scan

convert_sarif_to_gitlab:
  stage: convert_sarif_to_gitlab
  image: python:3.9
  script:
    - python3 convert_sarif_to_gitlab.py
  artifacts:
    reports:
      sast: gitlab_security_report.json
  dependencies:
    - dast_scan

Preview: Vulnerability Report

The GitLab vulnerability report displays DAST results and links back to the file and line of code.

Prerequisites

Let’s install GitLab’s CLI to make things easier. Per the GitLab CLI docs, Homebrew is the officially supported installation method for macOS, Linux, and Windows (via WSL). Run this command to install GitLab and authenticate.

brew install glab
glab auth login

Before we get started, you’ll need to mirror the example repository to GitLab.

Easy Mode

Want a lightning fast demo?

Use “Option 1: Easy Mode” to automatically run through all the steps in this tutorial.

This script will:

1. Create the Target resources in NightVision
2. Guide you through creating an Authentication script with Playwright.
3. Discover and document the API.
4. Clone the demo repository.
5. Create a NIGHTVISION_TOKEN secret for use in your CI/CD pipeline.
6. Add this secret as a GitLab variable (masked).
7. Trigger a scan in a GitLab pipeline and view the results in the GitLab Vulnerability Report.

Open your terminal and run this command:

curl -O https://raw.githubusercontent.com/nvsecurity/nv-public-reference/main/demo-scripts/gitlab-demo.sh && \
  chmod +x gitlab-demo.sh

# Set GROUP to the GitLab group that has a GitLab ultimate plan (or trial)
# Set REPO to the name of the repository you want to create.
export GROUP=GroupOrProject
export REPO=myRepo

./gitlab-demo.sh $GROUP $REPO

Now open your GitLab repository in the browser.

The scan will be complete in about 6-7 minutes.

• Optionally, you can click on the GitLab Pipeline execution to watch it run, as indicated here:

How to view the GitLab pipeline execution.

• When the scan finishes, click on the Security tab.

Security Alerts are displayed

• You will see three critical alerts: (1) SQL Injection, (2) Cross-Site Scripting, and (3) Spring4Shell. Click on one of them.
• When you select one of the vulnerabilities, you can see the exact line of code where the vulnerable endpoint was defined. Click on the provided link.

The vulnerable endpoint discovered by NightVision is flagged in the GitLab Vulnerability report.

• After clicking on the link, it will bring you to the line of code where the endpoint was declared.

The line of code where the vulnerable endpoint was declared.

• You can also leverage the power of GitLab Duo Chat on an issue to get detailed ✨AI-powered✨ remediation guidance.

GitLab Duo provides AI-powered remediation guidance.

Video Demo