Accurics provides SAST(Static application security testing) integration for GitLab.
SAST helps in mitigating security risk at the initial development stages in a typical cloud computing environment by using developer first approach. With more and more organisations using deployment as code, infrastructure as code along with application as code through different DevOp and SecOp tools, it is getting more vital to integrate the results of vulnerabilities from SAST or DAST with runtime environment and enforce policies to block the riskiest builds from being deployed into production while providing details of other less severe vulnerabilities.
Accurics already provides accurate IaC scan for runtime environment. Here, we will link the SAST analysis from GitLab with Accurics to provide a holistic picture of threat assessment.
Following steps are necessary for the set-up and implementation:
- On the Accurics console, create the environment and generate the token.
- Set up GitLab to link Accurics and use SAST.
Create the Accurics environment and generate the token
- Create the Accurics Environment with administrator credentials. For more details, go to Set up Accurics Environment.
- Setup the IaC repositories that need to be SAST integrated.
- Along with the other security policies, choose Accurics Security Best Practices for Applications.
- Final environment should contain all the relevant details.
- Generate Accurics token through the create API token process. For more information, click Generate API tokens.
Set up GitLab to link Accurics and use SAST
Update the GitLab with Accurics information as follows:
- Add the ACCURICS_TOKEN variable to the GitLab Environment variable list.
While adding the variable, the Protect Variable flag needs to be unchecked, but the Mask Variable flag has to be checked.
- Setup the gitlab pipeline by adding additional stage after “test” in the YAML file.
- Include remote GitLab CI/CD template for Accurics – https://downloads.accurics.com/app-sec/v1/gitlab-sast.yml.
- Run the pipeline.
All the violations will be dislayed on Accurics console as well as GitLab.
- On Accurics console, the SAST and the IAC vulnerabilities can be easily seen and analyzed at the same time.
- Same vulnerabilities will be visible on GitLab as well.
- The build will fail if high severity violations are found.
For more information, please check this video –