Skip to content

Commit

Permalink
chore: Updated GitLab pipeline to work with latest fcli changes
Browse files Browse the repository at this point in the history
  • Loading branch information
kadraman committed Sep 27, 2024
1 parent 197c528 commit 9e08639
Show file tree
Hide file tree
Showing 10 changed files with 276 additions and 34 deletions.
41 changes: 29 additions & 12 deletions .gitlab-ci.yml
Original file line number Diff line number Diff line change
@@ -1,34 +1,51 @@
# Comment/Uncomment the below depending on whether you are using Fortify on Demand
# or ScanCentral SAST/DAST.
include:
- local: '/devops-integrations/gitlab/debricked-sca.yml'
- local: '/devops-integrations/gitlab/fortify-sast-scancentral.yml'
- local: '/devops-integrations/gitlab/fortify-dast-scancentral.yml'
#- local: '/devops-integrations/gitlab/fortify-sast-fod.yml'

#- local: '/devops-integrations/gitlab/debricked-sca.yml'
#- local: '/devops-integrations/gitlab/fortify-sca.yml'
#- local: '/devops-integrations/gitlab/fortify-sast-scancentral.yml'
#- local: '/devops-integrations/gitlab/fortify-dast-api-scancentral.yml'
#- local: '/devops-integrations/gitlab/fortify-dast-web-scancentral.yml'
- local: '/devops-integrations/gitlab/fortify-sast-fod.yml'
- local: '/devops-integrations/gitlab/fortify-dast-fod.yml'
#- local: '/devops-integrations/gitlab/fortify-ssc-gate.yml'
- local: '/devops-integrations/gitlab/fortify-fod-gate.yml'

stages:
- build
- deploy
- test
- dast
- report

build:
stage: build
image: maven:3.8.6-eclipse-temurin-8
image: maven:3.9-eclipse-temurin-11

script:
script:
- echo Building project...
- mvn -Pjar clean package
- mvn -Dskip.unit.tests=false -DfailIfNoTests=false -Dtest="*,!PasswordConstraintValidatorTest,!UserServiceTest,!DefaultControllerTest" -P jar -B verify package --file pom.xml
- mvn dependency:tree
-DoutputFile=.debricked-maven-dependencies.tgf
-DoutputType=tgf
when: manual
#when: manual
artifacts:
paths:
- .debricked-maven-dependencies.tgf
- /
- .debricked-maven-dependencies.tgf
- target/surefire-reports/TEST-*.xml
expire_in: 3 days
when: on_success
reports:
junit: target/surefire-reports/TEST-*.xml
when: always

deploy:
stage: deploy
needs: [build]
script:
- echo 'Simulating deployment of application...'

functional-test:
stage: test
needs: [deploy]
script:
- echo 'Simulating functional test of application...'
16 changes: 10 additions & 6 deletions devops-integrations/gitlab/debricked-sca.yml
Original file line number Diff line number Diff line change
@@ -1,13 +1,17 @@
# Integrate Debricked software composition analysis into your Gitlab CICD pipeline
# The following Gitlab environment variables must be defined before using this job
# The following Gitab environment variables must be defined before using this job
# - $DEBRICKED_TOKEN
# - $DEBRICKED_REPO

debricked-sca:
debricked-scan:
image: maven:3.9-eclipse-temurin-11
stage: test
script:
- curl -L https://github.com/debricked/cli/releases/download/release-v2/cli_linux_x86_64.tar.gz | tar -xz debricked
- ./debricked scan
needs: [build]
variables:
DEBRICKED_TOKEN: $DEBRICKED_TOKEN
DEBRICKED_TOKEN: $DEBRICKED_TOKEN
DEBRICKED_EXCLUSIONS: "*.lock,*.json,*fingerprints*,target/**,samples/**"
script:
- curl -L https://github.com/debricked/cli/releases/download/release-v2/cli_linux_x86_64.tar.gz | tar -xz debricked
- chmod +x debricked
- ./debricked scan --callgraph --prefer-npm -r "${DEBRICKED_REPO}" --access-token="${DEBRICKED_TOKEN}" .
allow_failure: true
40 changes: 40 additions & 0 deletions devops-integrations/gitlab/fortify-dast-api-scancentral.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Integrate Fortify ScanCentral Dynamic AppSec Testing (DAST) into your Gitlab CICD pipeline
# The following Gitlab environment variables must be defined before using this job
# - $_FCLI_DEFAULT_SSC_URL
# - $_FCLI_DEFAULT_SSC_USER
# - $_FCLI_DEFAULT_SSC_PASSWORD
# - $SSC_APP_VERSION_ID
# - $SC_DAST_API_SETTINGS

fortify-dast-api:
image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17
stage: test
needs: [deploy]
only:
variables:
- $CI_COMMIT_BRANCH == "main"
variables:
FCLI_DEFAULT_SSC_USER: $_FCLI_DEFAULT_SSC_USER
FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD
FCLI_DEFAULT_SSC_CI_TOKEN: $_FCLI_DEFAULT_SSC_CI_TOKEN
FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL
SC_DAST_API_SETTINGS: $SC_DAST_API_SETTINGS
SC_DAST_SCAN_NAME: "GitLab-Pipelines-API-Scan"
script:
- fcli ssc session login
- fcli sc-dast session login

- fcli sc-dast scan start --name "$SC_DAST_SCAN_NAME" --settings $SC_DAST_API_SETTINGS --store=Id
- 'fcli sc-dast scan wait-for ::Id:: --interval=30s'

- fcli ssc issue count --appversion=$SSC_APP_VERSION_ID
- fcli ssc action run gitlab-dast-report --appversion=$SSC_APP_VERSION_ID --page-size=1000

- fcli sc-dast session logout
- fcli ssc session logout
allow_failure: true
artifacts:
reports:
dast: gl-fortify-dast.json
expire_in: 3 days
when: always
39 changes: 39 additions & 0 deletions devops-integrations/gitlab/fortify-dast-fod.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# Integrate Fortify on Demand Dynamic AppSec Testing (DAST) into your Gitlab CICD pipeline
# The following Gitlab environment variables must be defined before using this job
# - $_FOD_RELEASE_ID
# - $_FCLI_DEFAULT_FOD_USER
# - $_FCLI_DEFAULT_FOD_PASSWORD
# - $_FCLI_DEFAULT_FOD_TENANT
# - $_FCLI_DEFAULT_FOD_URL
# Note: this assumes the FoD Release has already been configured for a DAST Automated Website scan

fortify-dast:
image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17
stage: test
needs: [deploy]
only:
variables:
- $CI_COMMIT_BRANCH == "main"
variables:
FCLI_DEFAULT_FOD_USER: $_FCLI_DEFAULT_FOD_USER
FCLI_DEFAULT_FOD_PASSWORD: $_FCLI_DEFAULT_FOD_PASSWORD
FCLI_DEFAULT_FOD_TENANT: $_FCLI_DEFAULT_FOD_TENANT
FCLI_DEFAULT_FOD_URL: $_FCLI_DEFAULT_FOD_URL
FOD_RELEASE_ID: $_FOD_RELEASE_ID
FOD_NOTES: "Triggered by Gitlab Pipeline IID $CI_PIPELINE_IID: $CI_PIPELINE_URL"
script:
- fcli fod session login

- fcli fod dast start --release=$FOD_RELEASE_ID --store=Id
- 'fcli fod dast wait-for ::Id:: --interval=30s'

- 'fcli fod issue list --release=$FOD_RELEASE_ID --filters-param "scanType:Dynamic+severty:Critical|High"'
- fcli fod action run gitlab-dast-report --release=$FOD_RELEASE_ID

- fcli fod session logout
allow_failure: true
artifacts:
reports:
dast: gl-fortify-dast.json
expire_in: 3 days
when: always
40 changes: 40 additions & 0 deletions devops-integrations/gitlab/fortify-dast-web-scancentral.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Integrate Fortify ScanCentral Dynamic AppSec Testing (DAST) into your Gitlab CICD pipeline
# The following Gitlab environment variables must be defined before using this job
# - $_FCLI_DEFAULT_SSC_URL
# - $_FCLI_DEFAULT_SSC_USER
# - $_FCLI_DEFAULT_SSC_PASSWORD
# - $SSC_APP_VERSION_ID
# - $SC_DAST_WEB_SETTINGS

fortify-dast-web:
image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17
stage: test
needs: [deploy]
only:
variables:
- $CI_COMMIT_BRANCH == "main"
variables:
FCLI_DEFAULT_SSC_USER: $_FCLI_DEFAULT_SSC_USER
FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD
FCLI_DEFAULT_SSC_CI_TOKEN: $_FCLI_DEFAULT_SSC_CI_TOKEN
FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL
SC_DAST_WEB_SETTINGS: $SC_DAST_WEB_SETTINGS
SC_DAST_SCAN_NAME: "GitLab-Pipelines-Web-Scan"
script:
- fcli ssc session login
- fcli sc-dast session login

- fcli sc-dast scan start --name "$SC_DAST_SCAN_NAME" --settings $SC_DAST_WEB_SETTINGS --store=Id
- 'fcli sc-dast scan wait-for ::Id:: --interval=30s'

- fcli ssc issue count --appversion=$SSC_APP_VERSION_ID
- fcli ssc action run gitlab-dast-report --appversion=$SSC_APP_VERSION_ID --page-size=1000

- fcli sc-dast session logout
- fcli ssc session logout
allow_failure: true
artifacts:
reports:
dast: gl-fortify-dast.json
expire_in: 3 days
when: always
25 changes: 25 additions & 0 deletions devops-integrations/gitlab/fortify-fod-gate.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Integrate Fortify on Demand Static Security Gate into your Gitlab CICD pipeline
# The following Gitlab environment variables must be defined before using this job
# - $_FOD_RELEASE_ID
# - $_FCLI_DEFAULT_FOD_USER
# - $_FCLI_DEFAULT_FOD_PASSWORD
# - $_FCLI_DEFAULT_FOD_TENANT
# - $_FCLI_DEFAULT_FOD_URL

fortify-security-gate:
image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17
stage: report
variables:
FCLI_DEFAULT_FOD_USER: $_FCLI_DEFAULT_FOD_USER
FCLI_DEFAULT_FOD_PASSWORD: $_FCLI_DEFAULT_FOD_PASSWORD
FCLI_DEFAULT_FOD_TENANT: $_FCLI_DEFAULT_FOD_TENANT
FCLI_DEFAULT_FOD_URL: $_FCLI_DEFAULT_FOD_URL
FOD_RELEASE_ID: $_FOD_RELEASE_ID
FOD_NOTES: "Triggered by Gitlab Pipeline IID $CI_PIPELINE_IID: $CI_PIPELINE_URL"
script:
- fcli fod session login

- fcli fod action run release-summary --release=$FOD_RELEASE_ID
- fcli fod action run check-policy --release=$FOD_RELEASE_ID

- fcli fod session logout
18 changes: 12 additions & 6 deletions devops-integrations/gitlab/fortify-sast-fod.yml
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
# Integrate Fortify on Demand Static AppSec Testing (SAST) into your Gitlab CICD pipeline
# The following Gitlab environment variables must be defined before using this job
# - $FOD_RELEASE_ID
# - $FOD_USER
# - $FOD_PAT
# - $FOD_TENANT
# - $_FOD_RELEASE_ID
# - $_FCLI_DEFAULT_FOD_USER
# - $_FCLI_DEFAULT_FOD_PASSWORD
# - $_FCLI_DEFAULT_FOD_TENANT
# - $_FCLI_DEFAULT_FOD_URL
# Note: this assumes the FoD Release has already been configured

fortify-sast:
image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17
image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17
stage: test
needs: [build]
variables:
FCLI_DEFAULT_FOD_USER: $_FCLI_DEFAULT_FOD_USER
FCLI_DEFAULT_FOD_PASSWORD: $_FCLI_DEFAULT_FOD_PASSWORD
Expand All @@ -17,11 +20,14 @@ fortify-sast:
FOD_NOTES: "Triggered by Gitlab Pipeline IID $CI_PIPELINE_IID: $CI_PIPELINE_URL"
script:
- fcli fod session login

- scancentral package -bt mvn -oss -o package.zip
- fcli fod sast start --release=$FOD_RELEASE_ID --file=package.zip --remediation=NonRemediationScanOnly --notes="$FOD_NOTES" --store=Id
- 'fcli fod sast wait-for ::Id:: --interval=30s'
- fcli fod issue list --release=$FOD_RELEASE_ID

- 'fcli fod issue list --release=$FOD_RELEASE_ID --filters-param "scanType:Static+severty:Critical|High"'
- fcli fod action run gitlab-sast-report --release=$FOD_RELEASE_ID

- fcli fod session logout
allow_failure: true
artifacts:
Expand Down
17 changes: 7 additions & 10 deletions devops-integrations/gitlab/fortify-sast-scancentral.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@
# - $_FCLI_DEFAULT_SSC_URL
# - $_FCLI_DEFAULT_SSC_USER
# - $_FCLI_DEFAULT_SSC_PASSWORD
# - $_SSC_APP_VERSION_ID
# - $SSC_APP_VERSION_ID

fortify-sast:
stage: test
image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17
image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17
needs: [build]
variables:
SC_SAST_SENSOR_VERSION: 24.2
Expand All @@ -18,22 +18,19 @@ fortify-sast:
FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD
FCLI_DEFAULT_SSC_CI_TOKEN: $_FCLI_DEFAULT_SSC_CI_TOKEN
FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL
SSC_APP_VERSION_ID: $_SSC_APP_VERSION_ID
script:
- fcli ssc session login
- fcli sc-sast session login

- fcli sc-sast session login
- scancentral package -bt mvn -o package.zip
- fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id

- 'fcli sc-sast scan wait-for ::Id:: --interval=30s'

- fcli ssc issue count --appversion=$SSC_APP_VERSION_ID

- fcli ssc issue count --appversion=$SSC_APP_VERSION_ID
- fcli ssc action run gitlab-sast-report --appversion=$SSC_APP_VERSION_ID --page-size=1000

- fcli sc-sast session logout
- fcli ssc session logout
- fcli ssc session logout
allow_failure: true
artifacts:
reports:
Expand Down
51 changes: 51 additions & 0 deletions devops-integrations/gitlab/fortify-sca.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# Integrate Debricked software composition analysis into your Gitlab CICD pipeline
# The following Gitlab environment variables must be defined before using this job
# - $DEBRICKED_TOKEN
# - $DEBRICKED_REPO
# - $_FCLI_DEFAULT_SSC_URL
# - $_FCLI_DEFAULT_SSC_USER
# - $_FCLI_DEFAULT_SSC_PASSWORD
# - $SSC_APP_VERSION_ID

debricked-scan:
image: maven:3.9-eclipse-temurin-11
stage: test
needs: [build]
variables:
DEBRICKED_TOKEN: $DEBRICKED_TOKEN
DEBRICKED_EXCLUSIONS: "*.lock,*.json,*fingerprints*,target/**,samples/**"
script:
- curl -L https://github.com/debricked/cli/releases/download/release-v2/cli_linux_x86_64.tar.gz | tar -xz debricked
- chmod +x debricked
- ./debricked scan --callgraph --prefer-npm -r "${DEBRICKED_REPO}" --access-token="${DEBRICKED_TOKEN}" .
allow_failure: true

fortify-sca:
image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17
stage: test
needs: [debricked-scan]
variables:
FCLI_DEFAULT_SSC_USER: $_FCLI_DEFAULT_SSC_USER
FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD
FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL
script:
- fcli ssc session login

- fcli ssc artifact import-debricked --appversion=$SSC_APP_VERSION_ID --debricked-access-token=$DEBRICKED_TOKEN --repository=$DEBRICKED_REPO --branch=$CI_COMMIT_BRANCH --save-sbom-as=debricked-sbom.json --store=Id

- 'fcli ssc artifact wait-for ::Id:: --interval=30s'

- fcli ssc action run appversion-summary --appversion=$SSC_APP_VERSION_ID
- fcli ssc action run gitlab-debricked-report --appversion=$SSC_APP_VERSION_ID

- fcli ssc session logout
allow_failure: true
artifacts:
reports:
dependency_scanning: gl-fortify-debricked-depscan.json
#cyclonedx: debricked-sbom.json
paths:
- debricked-sbom.json
expire_in: 3 days
when: always

23 changes: 23 additions & 0 deletions devops-integrations/gitlab/fortify-ssc-gate.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Integrate Fortify Software Security Center Gate into your Gitlab CICD pipeline
# The following Gitlab environment variables must be defined before using this job
# - $_FCLI_DEFAULT_SSC_CI_TOKEN
# - $_FCLI_DEFAULT_SSC_URL
# - $_FCLI_DEFAULT_SSC_USER
# - $_FCLI_DEFAULT_SSC_PASSWORD
# - $SSC_APP_VERSION_ID

fortify-security-gate:
image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17
stage: report
variables:
FCLI_DEFAULT_SSC_USER: $_FCLI_DEFAULT_SSC_USER
FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD
FCLI_DEFAULT_SSC_CI_TOKEN: $_FCLI_DEFAULT_SSC_CI_TOKEN
FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL
script:
- fcli ssc session login

- fcli ssc action run appversion-summary --appversion=$SSC_APP_VERSION_ID --filtersets="default"
- fcli ssc action run check-policy --appversion=$SSC_APP_VERSION_ID

- fcli ssc session logout

0 comments on commit 9e08639

Please sign in to comment.