npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
Overview
GitLab provides an integrated DevSecOps platform that embeds security testing directly into the CI/CD pipeline. By leveraging GitLab's built-in security scanners---SAST, DAST, container scanning, dependency scanning, secret detection, and license compliance---teams can shift security left, catching vulnerabilities during development rather than post-deployment. GitLab Duo AI assists with false positive detection for SAST vulnerabilities, helping security teams focus on genuine issues.
When to Use
- When deploying or configuring building devsecops pipeline with gitlab ci capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- GitLab Ultimate license (required for full security scanner suite)
- GitLab Runner configured (shared or self-hosted)
.gitlab-ci.ymlpipeline configuration familiarity- Docker-in-Docker (DinD) or Kaniko for container builds
- Application deployed to a staging environment for DAST scanning
Core Security Scanning Stages
Static Application Security Testing (SAST)
SAST analyzes source code for vulnerabilities before compilation. GitLab supports 14+ languages using analyzers such as Semgrep, SpotBugs, Gosec, Bandit, and NodeJsScan. The simplest inclusion uses GitLab's managed templates.
Dynamic Application Security Testing (DAST)
DAST tests running applications by simulating attack payloads against HTTP endpoints. It detects XSS, SQLi, CSRF, and other runtime vulnerabilities that static analysis cannot find. DAST requires a deployed, accessible target URL.
Container Scanning
Uses Trivy to scan Docker images for known CVEs in OS packages and application dependencies. Runs after the Docker build stage to gate images before they reach a registry.
Dependency Scanning
Inspects dependency manifests (package.json, requirements.txt, pom.xml, Gemfile.lock) for known vulnerable versions. Operates at the source code level, complementing container scanning.
Secret Detection
Scans commits for accidentally committed credentials, API keys, tokens, and private keys using pattern matching and entropy analysis. Runs on every commit to prevent secrets from reaching the repository.
Implementation
Complete Pipeline Configuration
# .gitlab-ci.yml
stages:
- build
- test
- security
- deploy-staging
- dast
- deploy-production
variables:
DOCKER_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
SECURE_LOG_LEVEL: "info"
# Include GitLab managed security templates
include:
- template: Security/SAST.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/Container-Scanning.gitlab-ci.yml
- template: DAST.gitlab-ci.yml
- template: Security/License-Scanning.gitlab-ci.yml
build:
stage: build
image: docker:24.0
services:
- docker:24.0-dind
variables:
DOCKER_TLS_CERTDIR: "/certs"
script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker build -t $DOCKER_IMAGE .
- docker push $DOCKER_IMAGE
rules:
- if: $CI_COMMIT_BRANCH
unit-tests:
stage: test
image: $DOCKER_IMAGE
script:
- npm ci
- npm run test:coverage
coverage: '/Lines\s*:\s*(\d+\.?\d*)%/'
artifacts:
reports:
junit: junit-report.xml
coverage_report:
coverage_format: cobertura
path: coverage/cobertura-coverage.xml
# Override SAST to run in security stage
sast:
stage: security
variables:
SAST_EXCLUDED_PATHS: "spec,test,tests,tmp,node_modules"
SEARCH_MAX_DEPTH: 10
# Override container scanning
container_scanning:
stage: security
variables:
CS_IMAGE: $DOCKER_IMAGE
CS_SEVERITY_THRESHOLD: "HIGH"
# Override dependency scanning
dependency_scanning:
stage: security
# Override secret detection
secret_detection:
stage: security
# License compliance scanning
license_scanning:
stage: security
deploy-staging:
stage: deploy-staging
image: bitnami/kubectl:latest
script:
- kubectl set image deployment/app app=$DOCKER_IMAGE -n staging
- kubectl rollout status deployment/app -n staging --timeout=300s
environment:
name: staging
url: https://staging.example.com
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
# DAST runs against deployed staging
dast:
stage: dast
variables:
DAST_WEBSITE: https://staging.example.com
DAST_FULL_SCAN_ENABLED: "true"
DAST_BROWSER_SCAN: "true"
needs:
- deploy-staging
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
deploy-production:
stage: deploy-production
image: bitnami/kubectl:latest
script:
- kubectl set image deployment/app app=$DOCKER_IMAGE -n production
- kubectl rollout status deployment/app -n production --timeout=300s
environment:
name: production
url: https://app.example.com
when: manual
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCHSecurity Approval Policies
Configure scan execution policies to enforce mandatory security scans:
- Navigate to Security & Compliance > Policies
- Create a "Scan Execution Policy" requiring SAST and secret detection on all branches
- Create a "Merge Request Approval Policy" requiring security team approval when critical vulnerabilities are detected
Custom SAST Ruleset Configuration
Create .gitlab/sast-ruleset.toml to customize analyzer behavior:
[semgrep]
[[semgrep.ruleset]]
dirs = ["src"]
[[semgrep.passthrough]]
type = "url"
target = "/sgrep-rules/custom-rules.yml"
value = "https://semgrep.dev/p/owasp-top-ten"
[[semgrep.passthrough]]
type = "url"
target = "/sgrep-rules/java-rules.yml"
value = "https://semgrep.dev/p/java"Security Dashboard and Vulnerability Management
Vulnerability Report
GitLab consolidates all scanner findings into a single Vulnerability Report accessible at Security & Compliance > Vulnerability Report. Each vulnerability includes:
- Severity rating (Critical, High, Medium, Low, Info)
- Scanner source (SAST, DAST, Container, Dependency, Secret)
- Location in source code or image layer
- Remediation guidance and suggested fixes
- Status tracking (Detected, Confirmed, Dismissed, Resolved)
Merge Request Security Widget
Every merge request displays a security scanning widget showing:
- New vulnerabilities introduced by the MR
- Fixed vulnerabilities resolved by the MR
- Comparison against the target branch baseline
Pipeline Optimization
- Parallel execution: Security scanners run concurrently in the security stage
- Caching: Use CI cache for dependency downloads to speed up scanning
- Incremental scanning: SAST can scan only changed files using
SAST_INCREMENTAL: "true" - Fail conditions: Set
allow_failure: falseon critical scanners to enforce quality gates
Monitoring and Metrics
| Metric | Description | Target |
|---|---|---|
| Pipeline security coverage | Percentage of projects with all scanners enabled | > 95% |
| Critical vulnerability MTTR | Time from detection to resolution for critical findings | < 48 hours |
| False positive rate | Percentage of dismissed-as-false-positive findings | < 15% |
| Secret detection block rate | Percentage of secret commits blocked by push rules | > 99% |
References
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.5 KB
API Reference: GitLab CI DevSecOps Pipeline
GitLab Security Templates
| Template | Stage |
|---|---|
Security/SAST.gitlab-ci.yml |
Static analysis |
Security/DAST.gitlab-ci.yml |
Dynamic testing |
Security/Dependency-Scanning.gitlab-ci.yml |
Dependency audit |
Security/Container-Scanning.gitlab-ci.yml |
Container scan |
Security/Secret-Detection.gitlab-ci.yml |
Secret detection |
Security/IaC-Scanning.gitlab-ci.yml |
IaC security |
.gitlab-ci.yml Structure
include:
- template: Security/SAST.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
stages:
- build
- test
- security
- deploy
variables:
SECURE_LOG_LEVEL: infoGitLab CI Lint API
POST /api/v4/projects/:id/ci/lint
PRIVATE-TOKEN: your-token
Body: {"content": "yaml-string"}Security Variables
| Variable | Description |
|---|---|
SAST_DEFAULT_ANALYZERS |
Comma-separated analyzer list |
SAST_EXCLUDED_ANALYZERS |
Analyzers to skip |
CS_IMAGE |
Container image to scan |
DAST_WEBSITE |
Target URL for DAST |
SECRET_DETECTION_HISTORIC_SCAN |
Scan full history |
Vulnerability Report API
GET /api/v4/projects/:id/vulnerability_findingsSecurity Scanning Tools
| Tool | Type | Language |
|---|---|---|
| Semgrep | SAST | Multi-language |
| Bandit | SAST | Python |
| Trivy | Container | Container images |
| Gitleaks | Secret | Git history |
| KICS | IaC | Terraform/CloudFormation |
| ZAP | DAST | Web applications |
standards.md2.6 KB
Standards and Compliance Reference
OWASP DevSecOps Pipeline Maturity Model
| Level | SAST | DAST | SCA | Container | Secrets | License |
|---|---|---|---|---|---|---|
| Level 1 (Basic) | Manual runs | None | Manual dependency check | None | Pre-commit hooks | None |
| Level 2 (Integrated) | CI-triggered on MR | Scheduled scans | CI-triggered | Image scan on build | CI scan on commits | CI-triggered |
| Level 3 (Enforced) | Required for merge | Gate before deploy | Block on critical CVE | Block vulnerable images | Push protection | Policy enforcement |
| Level 4 (Optimized) | Custom rules, tuned FP | Authenticated full scan | Auto-remediation PRs | Signed images only | Auto-rotation | SBOM generation |
NIST SP 800-218 (SSDF) Mapping
| SSDF Practice | GitLab Feature | Pipeline Stage |
|---|---|---|
| PO.1 Define security requirements | Security policies | Policy configuration |
| PW.1 Design software securely | Threat modeling integration | Pre-build |
| PW.4 Reuse well-secured software | Dependency scanning | Security stage |
| PW.5 Create source code securely | SAST, secret detection | Security stage |
| PW.7 Review and test code | MR security widget | Merge request |
| PW.8 Test executable code | DAST | Post-deploy staging |
| PW.9 Configure software securely | Container scanning | Security stage |
| RV.1 Identify vulnerabilities | Vulnerability report | Dashboard |
| RV.2 Assess and prioritize | Severity classification | Triage workflow |
| RV.3 Remediate vulnerabilities | Issue tracking integration | Sprint planning |
CIS Software Supply Chain Security
- SCS-1: Secure source code management with protected branches and signed commits
- SCS-2: Secure build pipelines with pinned template versions and runner isolation
- SCS-3: Verified dependencies through dependency scanning and license compliance
- SCS-4: Secure artifacts with container scanning and signed images
- SCS-5: Deployment security with manual gates and environment approvals
GitLab Scanner Coverage Matrix
| Vulnerability Type | Primary Scanner | Secondary Scanner |
|---|---|---|
| SQL Injection | SAST (Semgrep) | DAST |
| XSS | SAST | DAST |
| SSRF | SAST | DAST |
| Command Injection | SAST | DAST |
| Insecure Deserialization | SAST | N/A |
| Known CVE in dependency | Dependency Scanning | Container Scanning |
| Hardcoded credentials | Secret Detection | SAST |
| License violation | License Scanning | N/A |
| OS-level CVE in image | Container Scanning | N/A |
| Authentication flaws | DAST | SAST |
workflows.md2.3 KB
GitLab DevSecOps Pipeline Workflows
Workflow 1: Merge Request Security Review
Developer creates merge request
|
Pipeline triggers security scanners in parallel:
[SAST] [Secret Detection] [Dependency Scanning] [License Scanning]
|
MR Security Widget displays results:
- New vulnerabilities introduced
- Existing vulnerabilities fixed
- Comparison with target branch
|
[No Critical/High] --> Reviewers can approve and merge
[Critical/High found] --> MR blocked by approval policy
|
Security team reviews findings
|
[Confirmed] --> Developer remediates and re-pushes
[False Positive] --> Dismissed with documented reason
|
All findings resolved --> MR eligible for mergeWorkflow 2: Container Image Security Gate
Docker image built in CI
|
Container scanning (Trivy) analyzes image layers
|
Findings categorized by severity
|
[Below threshold] --> Image pushed to registry with metadata
[Above threshold] --> Pipeline fails, image not pushed
|
Registry stores scan results as artifact
|
Deployment pulls only scanned/approved imagesWorkflow 3: DAST Against Staging Environment
Application deployed to staging
|
DAST browser scan initiated against staging URL
|
Authenticated scan crawls application pages
|
Active testing for XSS, SQLi, CSRF, etc.
|
Results added to vulnerability report
|
[Pass] --> Manual deploy-to-production gate enabled
[Fail on critical] --> Staging deployment rolled back
|
Production deploy requires manual approvalWorkflow 4: Vulnerability Lifecycle Management
Scanner detects vulnerability
|
Status: "Detected" in vulnerability report
|
Security analyst triages finding
|
[Confirmed vulnerability] [False positive]
| |
Status: "Confirmed" Status: "Dismissed"
Issue created automatically Reason documented
|
Developer assigned fix
|
Fix merged, scanner re-runs
|
Vulnerability no longer detected
|
Status: "Resolved"Scripts 2
agent.py4.8 KB
#!/usr/bin/env python3
"""DevSecOps Pipeline Builder Agent - Generates GitLab CI security scanning pipeline configurations."""
import json
import logging
import argparse
from datetime import datetime
import requests
logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)
SECURITY_STAGES = {
"sast": {
"template": "Security/SAST.gitlab-ci.yml",
"description": "Static Application Security Testing",
"tools": ["semgrep", "bandit", "eslint-security"],
},
"dast": {
"template": "Security/DAST.gitlab-ci.yml",
"description": "Dynamic Application Security Testing",
"tools": ["zap"],
},
"dependency_scanning": {
"template": "Security/Dependency-Scanning.gitlab-ci.yml",
"description": "Dependency vulnerability scanning",
"tools": ["gemnasium", "retire.js"],
},
"container_scanning": {
"template": "Security/Container-Scanning.gitlab-ci.yml",
"description": "Container image vulnerability scanning",
"tools": ["trivy", "grype"],
},
"secret_detection": {
"template": "Security/Secret-Detection.gitlab-ci.yml",
"description": "Secret and credential detection",
"tools": ["gitleaks"],
},
"license_scanning": {
"template": "Jobs/License-Scanning.gitlab-ci.yml",
"description": "License compliance scanning",
"tools": ["license-finder"],
},
"iac_scanning": {
"template": "Security/IaC-Scanning.gitlab-ci.yml",
"description": "Infrastructure as Code scanning",
"tools": ["kics"],
},
}
def generate_gitlab_ci(stages, project_type="python", registry="$CI_REGISTRY"):
"""Generate .gitlab-ci.yml with security scanning stages."""
ci_config = {
"stages": ["build", "test", "security", "deploy"],
"include": [],
"variables": {
"SECURE_LOG_LEVEL": "info",
"SAST_EXCLUDED_ANALYZERS": "",
},
}
for stage_name in stages:
stage = SECURITY_STAGES.get(stage_name)
if stage:
ci_config["include"].append({"template": stage["template"]})
if "container_scanning" in stages:
ci_config["variables"]["CS_IMAGE"] = f"{registry}/$CI_PROJECT_PATH:$CI_COMMIT_SHA"
if project_type == "python":
ci_config["variables"]["SAST_DEFAULT_ANALYZERS"] = "semgrep,bandit"
elif project_type == "javascript":
ci_config["variables"]["SAST_DEFAULT_ANALYZERS"] = "semgrep,eslint"
return ci_config
def validate_pipeline(gitlab_url, token, project_id, ci_content):
"""Validate CI configuration via GitLab API."""
headers = {"PRIVATE-TOKEN": token, "Content-Type": "application/json"}
data = {"content": json.dumps(ci_content)}
try:
resp = requests.post(f"{gitlab_url}/api/v4/projects/{project_id}/ci/lint", headers=headers, json=data, timeout=15)
return resp.json()
except requests.RequestException as e:
return {"error": str(e)}
def assess_pipeline_coverage(stages):
"""Assess security coverage of the pipeline."""
all_stages = set(SECURITY_STAGES.keys())
covered = set(stages) & all_stages
missing = all_stages - covered
coverage = len(covered) / len(all_stages) * 100
return {
"coverage_percent": round(coverage, 1),
"covered_stages": list(covered),
"missing_stages": list(missing),
"recommendation": "Add " + ", ".join(missing) if missing else "Full coverage",
}
def generate_report(ci_config, coverage, stages):
"""Generate DevSecOps pipeline report."""
report = {
"timestamp": datetime.utcnow().isoformat(),
"stages_configured": stages,
"security_coverage": coverage,
"gitlab_ci_config": ci_config,
}
print(f"DEVSECOPS REPORT: {len(stages)} stages, {coverage['coverage_percent']}% coverage")
return report
def main():
parser = argparse.ArgumentParser(description="DevSecOps Pipeline Builder Agent")
parser.add_argument("--stages", nargs="*", choices=list(SECURITY_STAGES.keys()), default=list(SECURITY_STAGES.keys()))
parser.add_argument("--project-type", choices=["python", "javascript", "java", "go"], default="python")
parser.add_argument("--gitlab-url", help="GitLab URL for validation")
parser.add_argument("--token", help="GitLab private token")
parser.add_argument("--project-id", help="GitLab project ID")
parser.add_argument("--output", default="devsecops_report.json")
args = parser.parse_args()
ci_config = generate_gitlab_ci(args.stages, args.project_type)
coverage = assess_pipeline_coverage(args.stages)
report = generate_report(ci_config, coverage, args.stages)
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
logger.info("Report saved to %s", args.output)
if __name__ == "__main__":
main()
process.py6.0 KB
#!/usr/bin/env python3
"""
GitLab DevSecOps Pipeline Security Report Generator
Queries GitLab API to aggregate security scanning results
across projects and generate compliance reports.
"""
import json
import os
import sys
import urllib.request
import urllib.error
from datetime import datetime
from collections import defaultdict
def gitlab_api_get(url: str, token: str) -> list | dict:
headers = {"PRIVATE-TOKEN": token, "Content-Type": "application/json"}
results = []
page = 1
while True:
sep = "&" if "?" in url else "?"
paginated = f"{url}{sep}per_page=100&page={page}"
req = urllib.request.Request(paginated, headers=headers)
try:
with urllib.request.urlopen(req) as resp:
data = json.loads(resp.read().decode())
if isinstance(data, list):
if not data:
break
results.extend(data)
page += 1
else:
return data
except urllib.error.HTTPError as e:
print(f"HTTP {e.code}: {e.read().decode()}")
break
return results
def get_group_projects(base_url: str, token: str, group_id: str) -> list:
url = f"{base_url}/api/v4/groups/{group_id}/projects?include_subgroups=true"
return gitlab_api_get(url, token)
def get_project_vulnerabilities(base_url: str, token: str, project_id: int) -> list:
url = f"{base_url}/api/v4/projects/{project_id}/vulnerabilities?state=detected"
return gitlab_api_get(url, token)
def get_pipeline_jobs(base_url: str, token: str, project_id: int, pipeline_id: int) -> list:
url = f"{base_url}/api/v4/projects/{project_id}/pipelines/{pipeline_id}/jobs"
return gitlab_api_get(url, token)
def check_security_scanners(jobs: list) -> dict:
scanner_names = {
"sast": False,
"secret_detection": False,
"dependency_scanning": False,
"container_scanning": False,
"dast": False,
"license_scanning": False,
}
for job in jobs:
name = job.get("name", "").lower()
for scanner in scanner_names:
if scanner.replace("_", "-") in name or scanner in name:
scanner_names[scanner] = True
return scanner_names
def generate_report(base_url: str, token: str, group_id: str) -> dict:
projects = get_group_projects(base_url, token, group_id)
report = {
"gitlab_instance": base_url,
"group_id": group_id,
"generated_at": datetime.utcnow().isoformat() + "Z",
"total_projects": len(projects),
"scanner_coverage": defaultdict(int),
"severity_totals": defaultdict(int),
"project_details": [],
}
for project in projects:
pid = project["id"]
name = project["path_with_namespace"]
vulns = get_project_vulnerabilities(base_url, token, pid)
severity_counts = defaultdict(int)
scanner_counts = defaultdict(int)
for v in vulns:
severity_counts[v.get("severity", "unknown")] += 1
scanner_counts[v.get("scanner", {}).get("name", "unknown")] += 1
report["severity_totals"][v.get("severity", "unknown")] += 1
pipelines = gitlab_api_get(
f"{base_url}/api/v4/projects/{pid}/pipelines?per_page=1&status=success", token
)
scanners_enabled = {}
if pipelines and isinstance(pipelines, list):
jobs = get_pipeline_jobs(base_url, token, pid, pipelines[0]["id"])
scanners_enabled = check_security_scanners(jobs)
for scanner, enabled in scanners_enabled.items():
if enabled:
report["scanner_coverage"][scanner] += 1
report["project_details"].append({
"project": name,
"open_vulnerabilities": len(vulns),
"by_severity": dict(severity_counts),
"by_scanner": dict(scanner_counts),
"scanners_enabled": scanners_enabled,
})
report["scanner_coverage"] = dict(report["scanner_coverage"])
report["severity_totals"] = dict(report["severity_totals"])
return report
def print_report(report: dict) -> None:
print(f"\n{'='*65}")
print(f"GitLab DevSecOps Security Report")
print(f"Instance: {report['gitlab_instance']}")
print(f"Generated: {report['generated_at']}")
print(f"{'='*65}")
print(f"\nTotal Projects: {report['total_projects']}")
print(f"\nScanner Coverage:")
for scanner, count in sorted(report["scanner_coverage"].items()):
pct = count / report["total_projects"] * 100 if report["total_projects"] > 0 else 0
print(f" {scanner:25s}: {count:3d}/{report['total_projects']} ({pct:.0f}%)")
print(f"\nVulnerability Summary:")
for sev in ["critical", "high", "medium", "low", "info", "unknown"]:
count = report["severity_totals"].get(sev, 0)
if count > 0:
print(f" {sev.upper():12s}: {count}")
total = sum(report["severity_totals"].values())
print(f" {'TOTAL':12s}: {total}")
print(f"\nTop 10 Projects by Open Vulnerabilities:")
sorted_projects = sorted(
report["project_details"], key=lambda p: p["open_vulnerabilities"], reverse=True
)
for p in sorted_projects[:10]:
print(f" {p['project']:45s} | Vulns: {p['open_vulnerabilities']}")
def main():
token = os.environ.get("GITLAB_TOKEN")
base_url = os.environ.get("GITLAB_URL", "https://gitlab.com")
group_id = os.environ.get("GITLAB_GROUP_ID")
if not token:
print("Error: GITLAB_TOKEN environment variable required")
sys.exit(1)
if not group_id:
print("Error: GITLAB_GROUP_ID environment variable required")
sys.exit(1)
report = generate_report(base_url, token, group_id)
print_report(report)
output = f"gitlab_devsecops_report_{datetime.utcnow().strftime('%Y%m%d')}.json"
with open(output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"\nReport saved to: {output}")
if __name__ == "__main__":
main()