Gitlab上利用SAST进行代码审计-CFANZ编程社区

Gitlab上利用SAST进行代码审计

===================前置安装配置==========================

1、Gitlab 配置并启用SAST功能

Gitlab上利用SAST进行代码审计_sast

2、配置gitlab-runner

单独安装gitlab-runner，需要设置为share模式，便于配合多project使用

docker run -d --name gitlab-runner --restart always \
     -v /srv/gitlab-runner/config:/etc/gitlab-runner \
     -v /var/run/docker.sock:/var/run/docker.sock \
     gitlab/gitlab-runner:latest

3、进入gitlab-runner容器

docker exec -it gitlab-runner bash

进行runner注册

需要输入gitlab平台地址
认证token
runner的名称
runner的tag

root@af53e06a6c7a:/# gitlab-runner register
Runtime platform         arch=amd64 os=linux pid=20 revision=b37d3da9 version=14.3.0
Running in system-mode.                            
                                                   
Enter the GitLab instance URL (for example, https://gitlab.com/):
https://git.xxxxx.com/
Enter the registration token:
GWskbzm_xxxxxxxxx-Uxy
Enter a description for the runner:
[af53e06a6c7a]: security runner
Enter tags for the runner (comma-separated):
security
Registering runner... succeeded                runner=GWskbzm_
Enter an executor: docker, ssh, virtualbox, docker+machine, kubernetes, custom, docker-ssh, parallels, shell, docker-ssh+machine:
docker
Enter the default Docker image (for example, ruby:2.6):
alpine:latest
Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!

重启容器

===================具体项目中配置==========================

1、在project code中新建 .gitlab-ci.yml文件

stages:
- test
sast:
  stage: test
  tags:
    - security
include:
- template: Security/SAST.gitlab-ci.yml
variables:
  SAST_EXPERIMENTAL_FEATURES: 'true'

tags 指定使用的 runner

template 配置SAST的yml文件

2、提交代码合并后，可以在gitlab平台上看Piplines和Jobs

#每次的分支提交代码都会进行一次的代码分析

#合并分支也会进行代码分析

Gitlab上利用SAST进行代码审计_sast_02