Skip to main content

GitLab CI/CD Integration

Set up Invicti AppSec with GitLab CI/CD for automated security scanning.

Gitlab

Gitlab pipeline that contains SAST, SCA, CS scans and SBOM import

1. Staging
Specify the each stage in here.
2. Image
The pipeline runs on the Ubuntu image.
3. Pre Scan Jobs
Installs the Kondukto CLI via curl command & exports environment variables for KONDUKTO_HOST and KONDUKTO_TOKEN.
4. Create New Project
Create a new project from CI_PROJECT_ID, and add it to product & team.
5. SAST Scan
Runs a SAST scan with the Kondukto CLI using the Checkmarx scanner. Parameters used in the scan command: Project name from Gitlab CI/CD environment variables: $CI_PROJECT_NAME. The branch or tag name for the current commit: $CI_COMMIT_REF_NAME.
6. SCA Scan
Runs an SCA scan with the Kondukto CLI using the DependencyCheck scanner. Parameters used in the scan command: Project name from Gitlab CI/CD environment variables: $CI_PROJECT_NAME. The branch or tag name for the current commit: $CI_COMMIT_REF_NAME. The --async option is added to the scan command to enable the scan to run in the background.
7. SBOM Import
Imports a Software Bill of Materials (SBOM) file named cyclonedx.json via the Kondukto CLI.
8. CS Scan
Runs a Container Security (CS) scan with the Kondukto CLI using the Trivy scanner. Parameters used in the scan command: Project name from Gitlab CI/CD environment variables: $CI_PROJECT_NAME. The branch or tag name for the current commit: $CI_COMMIT_REF_NAME. The --async option is added to the scan command to enable the scan to run in the background.
YAML
1stages:
2- test
3 
4image: ubuntu
5 
6before_script:
7- curl -sSL https://cli.kondukto.io | sh
8- export KONDUKTO_HOST=$KONDUKTO_HOST
9- export KONDUKTO_TOKEN=$KONDUKTO_TOKEN
10 
11Create Project:
12stage: test
13script:
14  - kdt create project --repo-id $CI_PROJECT_ID -P "VulnerableApplications" -t "Presentation" --exit-code 0
15 
16SAST Test:
17stage: test
18script:
19  - echo "SAST via Kondukto"
20  - kdt scan -p $CI_PROJECT_NAME -t checkmarx -b $CI_COMMIT_REF_NAME
21 
22SCA Test:
23stage: test
24script:
25  - echo "SCA via Kondukto"
26  - kdt scan -p $CI_PROJECT_NAME -t dependencycheck-b $CI_COMMIT_REF_NAME --async
27 
28SBOM Import:
29stage: test
30script:
31  - echo "Import SBOM file"
32  - kdt sbom import -f cyclonedx.json -p $CI_PROJECT_NAME
33 
34CS Test:
35stage: test
36script:
37  - echo "CS via Kondukto"
38  - kdt scan -p $CI_PROJECT_NAME -t trivy --image=ubuntu:latest
39  - b $CI_COMMIT_REF_NAME --async

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center