Securing codebase with GitLab's built-in Static Application Security Testing (SAST)
TypeScriptTo secure your codebase with GitLab's built-in Static Application Security Testing (SAST), you first need a GitLab project if you don't already have one. GitLab SAST can be enabled through the
.gitlab-ci.yml
file, which defines the configuration for CI/CD pipelines.Below is a detailed explanation of how to set up a GitLab project with SAST using Pulumi and TypeScript:
GitLab Project
You'll need to create a GitLab project. GitLab projects are the containers where your repositories live. In Pulumi, you can create a new project using the
gitlab.Project
resource.SAST Configuration
Once you have the project, you need to configure SAST. This configuration typically involves modifying the
.gitlab-ci.yml
file within the repository to include the SAST job definitions provided by GitLab.Using Pulumi with TypeScript
Pulumi allows you to define infrastructure as code using TypeScript. Below is a program that shows how to use Pulumi to set up a GitLab project and push an initial
.gitlab-ci.yml
to the repository to enable SAST.import * as pulumi from "@pulumi/pulumi"; import * as gitlab from "@pulumi/gitlab"; // Create a new GitLab project const project = new gitlab.Project("my-secure-project", { description: "A project with SAST enabled", visibilityLevel: "private", }); // Define the .gitlab-ci.yml configuration for SAST const gitlabCiConfig = `image: docker:stable stages: - test include: - template: Security/SAST.gitlab-ci.yml sast: stage: test script: - echo "Running Static Application Security Testing (SAST)"`; // Add the .gitlab-ci.yml to the repository const gitlabCiFile = new gitlab.ProjectFile("gitlab-ci", { project: project.id, filePath: ".gitlab-ci.yml", content: gitlabCiConfig, }); // Export the GitLab project URL export const projectUrl = project.webUrl;
Explanation
- Project Creation: Using
new gitlab.Project
, a new project namedmy-secure-project
is created. This project is set to beprivate
. - SAST Configuration: The variable
gitlabCiConfig
holds the YAML configuration that defines the CI/CD pipeline with the SAST template included from GitLab's built-in CI/CD configuration. - Pushing Configuration: The
gitlab.ProjectFile
resource is used to place.gitlab-ci.yml
into the root of the project repository, which GitLab CI/CD uses to run the SAST job. - Exports: The program exports the web URL of the GitLab project as
projectUrl
, which you can use to navigate to the project in a web browser.
After running this Pulumi program, you will have a GitLab project with the
.gitlab-ci.yml
file configured. Pushing code to this repository will trigger GitLab CI/CD pipelines, and theinclude
directive in the provided YAML ensures that SAST is run against the codebase.Please note that this program will not run the CI/CD pipeline but sets up the necessary configuration. You will need to push additional code to the repository for the pipeline to execute the SAST job. Also, ensure you have the necessary permissions in GitLab and that the Pulumi CLI is configured with an access token to communicate with GitLab's API.
To apply this Pulumi program, you should follow the standard Pulumi workflow:
- Initialize a new Pulumi project.
- Install GitLab provider using the command
npm install @pulumi/gitlab
. - Place the above TypeScript code into
index.ts
. - Execute
pulumi up
to deploy the changes.
- Project Creation: Using