GitLab Vulnerablity Report Integration

GitLab

With StackHawk’s code scanning integration in Gitlab, teams can now run Dynamic API and Application Security Testing (DAST) whenever they check-in code and view results directly in GitLab.

Requirements

StackHawk:

  • You must have a StackHawk account.

GitLab:

Enabling Vulnerability Reporting in GitLab with HawkScan

This integration can be broken down into four major steps:

  • Configuring StackHawk to run in your GitLab pipeline
  • Updating your GitLab pipeline to create a DAST report
  • Running your pipeline
  • Viewing and triaging results

Configuring StackHawk in the GitLab Pipeline

You can add StackHawk scanning to your GitLab pipeline by adding scanning to your .gitlab-ci.yml and adding a stackhawk.yml configuration file to your repository. Detailed set up instructions can be found in HawkScan and GitLab

Updating GitLab Pipeline to Create a DAST report

Once you have set up scanning in your GitLab pipline, you need to add two things to your .gitlab-ci.yml

First pass in the DAST_ARTIFACT environment variable to tell HawkScan to create a DAST report.

Your updated pipeline report will now look like this:

.gitlab-ci.yml

image: docker
services:
  - docker:dind 
before_script:
  - docker pull stackhawk/hawkscan
hawkscan:
  script:
    - |
      docker run -v $(pwd):/hawk:rw -t \
        -e API_KEY="hawk.${HAWK_API_ID}.${HAWK_API_SECRET}" \
        -e NO_COLOR=true \
        -e DAST_ARTIFACT=1 \
        stackhawk/hawkscan

Next add the stackhawk-dast-report.json value to your DAST report artifacts.

.gitlab-ci.yml

artifacts:
  reports:
    dast: stackhawk-dast-report.json

Your updated StackHawk job should look somethng like this:

.gitlab-ci.yml

image: docker
services:
  - docker:dind 
before_script:
  - docker pull stackhawk/hawkscan
hawkscan:
  script:
    - |
      docker run -v $(pwd):/hawk:rw -t \
        -e API_KEY="hawk.${HAWK_API_ID}.${HAWK_API_SECRET}" \
        -e NO_COLOR=true \
        -e DAST_ARTIFACT=1 \
        stackhawk/hawkscan
artifacts:
  reports:
    dast: stackhawk-dast-report.json

Running Your Pipeline

The actions that trigger your build pipline, such as code changes and creating pull requests, will now trigger running HawkScan and creating a vulnerability report.

Viewing and Triaging Scan Results

The vulnerability report is included in the Security and Complaince section of GitLab.

Vulnerability Report

To view the vulnerabilites that StackHawk found in your application, navigate to the Vulnerability Report section of the Security and Compliance center.

Security And Compliance Section

This should give you an overview of all your vulnerablities.

Vulnerability Report

Triaging Vulnerabilites

Click into each vulnerability to view details and create issues by clicking on the Create Issue button on the bottom of the page.

Vulnerability Details