Skip to content

Setting up web application scanning with GitLab

This article describes the setup in the GitLab CI system. Configuration in other systems is performed in a similar way.

Adding environment variables

In GitLab, select “Settings” → “CI/CD” → “Variables” → “Add variable”.

Screenshot of the path “Settings” → “CI/CD”

Screenshot of the path “Variables” → “Add variable”

Two variables need to be added:

The address of the scanner

  1. In the “Key” field, enter SOLIDPOINT_BASE_URL.
  2. In the “Value” field, enter the scanner URL, for example: https://cloud.solidpoint.net.
  3. Click the “Add Variable” button. Screenshot of creating the “scanner address” variable

Secret access token

  1. Go to the dashboard.
  2. Open the drop-down menu next to the profile icon.
  3. Select “Access Tokens”. Screenshot of the “Access Tokens” drop-down menu
  4. Click “Create token”. Screenshot of the “Create token” button
  5. Enter GitLab CI in the “Name” field and choose the expiration date if necessary. Screenshot of the token creation form
  6. Copy the value of the resulting token. Screenshot of token copying
  7. Go back to GitLab.
  8. In the “Key” field of the new variable, enter SOLIDPOINT_TOKEN.
  9. In the “Value” field, paste the value of the resulting token.
  10. Click the “Mask variable” checkbox.
  11. Click the “Add Variable” button.

    Screenshot of the creation of a token variable

Setting up a CI/CD configuration

In GitLab CI click the “CI/CD configuration” button.

Screenshot of the “CI/CD configuration” button

In the editor that opens, click the “Configure Pipeline” button.

Screenshot of the “Configure Pipeline” button

Creating a job for scanning

You need to use a Docker image called repo.solidpoint.net/solidpoint-cli. This image must be pre-installed in GitLab Runner. Copy and paste the following code into the editor to run the job:

solidpoint:
  image:
    name: repo.solidpoint.net/solidpoint-cli
    entrypoint: [""]
  tags: [docker]
  script:
    - solidpoint-cli scan new-ci --url http://xxe-shop.stands.fuchsia

Screenshot of pasting the code into the editor

In the script field, there are different ways to set the address for scanning. The example above shows a static address. To set a dynamic address, use:

- solidpoint-cli scan new-ci --url $URL

Screenshot of the assignment of a dynamic address

Here the script gets the address from the $URL variable.

An alternative way to set the address for scanning is to set a target in the dashboard. When creating a target it is assigned a unique TargetID. In this case, use:

- solidpoint-cli scan new-ci --targetID 123

Screenshot of setting the target

The job is ready. To start it, you need to write a commit message and click the “Commit changes" button.

View a job in progress

There are two ways to view the job execution in real time with progress tracking and its final result:

GitLab interface

Screenshot of the pipeline job icon

Screenshot of the job execution in GitLab

Dashboard

Screenshot of the scan preview in the dashboard

Screenshot of the job execution in the dashboard

As a result of the scanning, if issues have been identified, the job returns a non-zero code.