CI/CD Security
The goal of CI/CD security is to ensure that the CI/CD pipelines are secure, including vulnerability scanning, secret management, and secure runner configuration.
Vulnerability Scanning
Vulnerability scanning is a process of identifying security vulnerabilities in code and dependencies. GitLab offers several tools and features to enable vulnerability scanning, including:
Dependency Scanning:
- Automatically scans dependencies for known vulnerabilities.
- Example:
image: docker:latest stages: - test test: stage: test script: - echo "Running Dependency Scanning" - echo "This will scan the dependencies of the project." - echo "You can configure this to be more detailed if you want."
SAST (Static Application Security Testing):
- Analyze code for potential vulnerabilities without actually running it.
- Example:
image: docker:latest stages: - test test: stage: test script: - echo "Running SAST" - echo "This will analyze the code for potential vulnerabilities."
DAST (Dynamic Application Security Testing):
- Tests running applications by simulating real-world attacks.
- Example:
image: docker:latest stages: - test test: stage: test script: - echo "Running DAST" - echo "This will test running applications by simulating real-world attacks."
Secret Management
Secret management involves securely storing and managing sensitive information such as API keys, passwords, and tokens used in CI/CD pipelines. GitLab provides several features for secret management:
Protected variables:
- Store sensitive information securely within GitLab.
- Can be accessed by CI/CD pipelines and other GitLab features.
- Example:
image: docker:latest stages: - test test: stage: test script: - echo "Accessing protected variables in a script" - echo "This will print out the variable" - echo "$CI_API_TOKEN"
Secret variables:
- Store sensitive information outside of GitLab.
- Provide an extra layer of security and compliance.
- Example:
image: docker:latest stages: - test test: stage: test script: - echo "Accessing secret variables in a script" - echo "This will print out the variable" - echo "$SECRET_VARIABLE_NAME"
Secure Runner Configuration
Secure Runner Configuration is crucial to ensure the security of CI/CD pipelines. GitLab provides various options for securing CI/CD runners:
Runner registration:
- Carefully register runners to ensure they are only authorized to access specific projects.
- Example:
image: docker:latest stages: - test test: stage: test script: - echo "This script will run on a secure runner" - echo "This will test the secure runner configuration"
Runner permissions:
- Define permissions for runners to control their access to resources and actions.
- Example:
image: docker:latest stages: - test test: stage: test script: - echo "This script will be run on a runner with limited permissions" - echo "This will test the secure runner configuration"
Runner security:
- Implement security measures for runners, such as access control and vulnerability patching.
- Example:
image: docker:latest stages: - test test: stage: test script: - echo "This script will run on a runner with security updates and patches" - echo "This will test the secure runner configuration"
