-
Notifications
You must be signed in to change notification settings - Fork 3
/
.gitlab-ci.yml
79 lines (71 loc) · 2.81 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# # SETUP STEPS
# nightvision app create -n dvcsa
## note that gitlab and docker dind require the docker hostname instead of localhost
# nightvision target create -n dvcsa -u https://docker:8999 --type api
# nightvision swagger extract ./ -t dvcsa --lang dotnet
## note that if your application requires an authentication
## you will want to add an alias to localhost in your /etc/hosts file.
## EX:
# echo "# gitlab" >> /etc/hosts
# echo "127.0.0.1 docker" >> /etc/hosts
## then you can authenticate
# nightvision auth playwright create -u $YOURURL -n $YOURAPP
## not required for this app, but an example of authentication setup
# nightvision auth playwright create -u $YOURURL -n $YOURAPP
## local scan command example
# nightvision scan -t dvcsa -a dvcsa
stages:
- test
- convert_sarif_to_gitlab
variables:
NIGHTVISION_TARGET: dvcsa-gitlab
NIGHTVISION_APP: dvcsa-gitlab
NIGHTVISION_AUTH: dvcsa-gitlab
DOCKER_HOST: tcp://docker:2375/
DOCKER_DRIVER: overlay2
FF_NETWORK_PER_BUILD: "true" # activate container-to-container networking
services:
- docker:dind
test:
stage: test
image: ubuntu:latest
services:
- docker:dind
before_script:
- apt-get update && apt-get install -y wget python3-venv python3-docker python3-pip python3 docker-compose curl gcc musl-dev libffi-dev
- python3 -m venv venv
- source venv/bin/activate
- pip3 install requests urllib3 semgrep
- wget -c https://downloads.nightvision.net/binaries/latest/nightvision_latest_linux_amd64.tar.gz -O - | tar -xz
- mv nightvision /usr/local/bin/
script:
# "Extract API documentation from code"
- nightvision swagger extract ./ --lang dotnet -t ${NIGHTVISION_APP} || true
- if [ ! -e openapi-spec.yml ]; then cp backup-openapi-spec.yml openapi-spec.yml; fi
# "Starting the app"
- docker-compose up -d
- sleep 60
# # test connection
- curl -k https://docker:8999
# "Scanning the API"
- nightvision scan -t ${NIGHTVISION_TARGET} -a ${NIGHTVISION_APP} --auth ${NIGHTVISION_AUTH} > scan-results.txt
- nightvision export sarif -s "$(head -n 1 scan-results.txt)" --swagger-file openapi-spec.yml
# "Getting logs"
- for pod in $(docker ps | grep -v 'CONTAINER ID' | grep -v IMAGE | awk '{print $1}'); do docker logs $pod >> test.pod.logs 2>&1; done
artifacts:
paths:
- openapi-spec.yml
- test.pod.logs
- results.sarif
expire_in: 30 days
convert_sarif_to_gitlab:
stage: convert_sarif_to_gitlab
image: python:3.9
script:
- wget -O convert_sarif_to_gitlab.py https://gist.githubusercontent.com/alex-nightvision/c928e87331f55e67e008bcc8c1033951/raw/2d1281a0b55f93428232f68d8d229b1d0f3854c4/convert_sarif_to_gitlab.py
- python3 convert_sarif_to_gitlab.py
artifacts:
reports:
sast: gitlab_security_report.json
dependencies:
- test