Last year at GitLab Commit, I presented our integration with GitLab to initiate Checkmarx security scans within your GitLab CI/CD pipeline. I walked through the progression of our integrations, which began with the addition of a complicated script to our latest iteration that seamlessly initiates scans and orchestrates results within a docker container. A video of my presentation can be found here.
As part of the rollout of the GitLab integration, I engaged with current Checkmarx users, from DevOps Engineers to Security Engineers to developers writing code. These interactions were valuable to for being able to see how each team has a role in upholding Application Security within their organization.
The overwhelming feedback from these three AppSec stakeholders came down to three major themes:
- The simpler the better
- Make it easy to scale out to multiple projects
- Custom scan configuration is key
Even though our GitLab integration evolved from complicated scripts to a simplified container, there was still complexity in manually adding steps to a pipeline (even if it is copy and paste). It made me wonder, “Is there an even easier way to integrate with GitLab?”
I dug in and did some research on how GitLab integrates with their open-source tools and found that they leverage a concept called templates which allow GitLab users to include an already existing template file in their .gitlab-ci.yml, and voila! Stages will automatically add to the pipeline. This is a feature that no other CI tool has with their yaml files - and an amazing feature it is. I discovered that this one feature hits upon what is important to the different AppSec stakeholders: it is simple, scalable, and customizable.
Creating a GitLab template file
We decided to create a template file and try this method out. The results are beyond my expectations because the integration is now even cleaner and easier because templates make it easy scale out to multiple projects by only making one edit. You only need to add one line to your .gitlab-ci.yml file instead of creating and maintaining another yaml file.
Adding a template file works for our CxSAST & CxSCA scans also works for our open-source security scan for IaC files. We have versioned the template files as well to allow for backwards compatibility if you need to make new edits. It still will orchestrate the results the same way: decorating the Merge Request, updating GitLab’s Security Dashboard, and creating, updating, and closing GitLab issues.
Decorating the Merge Request
Override global variables
In the template file created, we have set pre-defined some common environment variables to customize Checkmarx scans. You can easily override these variables by setting a value in either the .gitlab-ci.yml file or as an CI/CD environment variable. This customization provides the scan configuration objective that our users are looking for.
I wish I knew about this template feature from the very beginning of working on the Checkmarx Gitlab integration. Include it in your GitLab pipeline CI file for a simple and clean solution that you can rollout to your whole organization.
Resources
Give us feedback
We would love for you to keep trying this integration out and give us feedback via GitHub Discussions to report any problem you run into, as well as to suggest improvements you would like to see in the future.
Step by step directions
Please visit https://checkmarx.com/gitlab
Template files
For reference to the template file for CxSAST & CxSCA scans, can be found here & for KiCS template, it can be found here.
Try it out if you have a chance, and let me know how it works for you.
