diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4a541c5..5925bdc 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,34 +1,51 @@ +# Comment/Uncomment the below depending on whether you are using Fortify on Demand +# or ScanCentral SAST/DAST. include: - - local: '/devops-integrations/gitlab/debricked-sca.yml' - - local: '/devops-integrations/gitlab/fortify-sast-scancentral.yml' - - local: '/devops-integrations/gitlab/fortify-dast-scancentral.yml' - #- local: '/devops-integrations/gitlab/fortify-sast-fod.yml' - + #- local: '/devops-integrations/gitlab/debricked-sca.yml' + #- local: '/devops-integrations/gitlab/fortify-sca.yml' + #- local: '/devops-integrations/gitlab/fortify-sast-scancentral.yml' + #- local: '/devops-integrations/gitlab/fortify-dast-api-scancentral.yml' + #- local: '/devops-integrations/gitlab/fortify-dast-web-scancentral.yml' + - local: '/devops-integrations/gitlab/fortify-sast-fod.yml' + - local: '/devops-integrations/gitlab/fortify-dast-fod.yml' + #- local: '/devops-integrations/gitlab/fortify-ssc-gate.yml' + - local: '/devops-integrations/gitlab/fortify-fod-gate.yml' + stages: - build - deploy - test + - dast + - report build: stage: build - image: maven:3.8.6-eclipse-temurin-8 + image: maven:3.9-eclipse-temurin-11 - script: + script: - echo Building project... - - mvn -Pjar clean package + - mvn -Dskip.unit.tests=false -DfailIfNoTests=false -Dtest="*,!PasswordConstraintValidatorTest,!UserServiceTest,!DefaultControllerTest" -P jar -B verify package --file pom.xml - mvn dependency:tree -DoutputFile=.debricked-maven-dependencies.tgf -DoutputType=tgf - when: manual + #when: manual artifacts: paths: - - .debricked-maven-dependencies.tgf - - / + - .debricked-maven-dependencies.tgf + - target/surefire-reports/TEST-*.xml expire_in: 3 days - when: on_success + reports: + junit: target/surefire-reports/TEST-*.xml + when: always deploy: stage: deploy needs: [build] script: - echo 'Simulating deployment of application...' + +functional-test: + stage: test + needs: [deploy] + script: + - echo 'Simulating functional test of application...' diff --git a/devops-integrations/gitlab/debricked-sca.yml b/devops-integrations/gitlab/debricked-sca.yml index 98eb1ff..d560f80 100644 --- a/devops-integrations/gitlab/debricked-sca.yml +++ b/devops-integrations/gitlab/debricked-sca.yml @@ -1,13 +1,17 @@ # Integrate Debricked software composition analysis into your Gitlab CICD pipeline -# The following Gitlab environment variables must be defined before using this job +# The following Gitab environment variables must be defined before using this job # - $DEBRICKED_TOKEN +# - $DEBRICKED_REPO -debricked-sca: +debricked-scan: + image: maven:3.9-eclipse-temurin-11 stage: test - script: - - curl -L https://github.com/debricked/cli/releases/download/release-v2/cli_linux_x86_64.tar.gz | tar -xz debricked - - ./debricked scan needs: [build] variables: - DEBRICKED_TOKEN: $DEBRICKED_TOKEN + DEBRICKED_TOKEN: $DEBRICKED_TOKEN + DEBRICKED_EXCLUSIONS: "*.lock,*.json,*fingerprints*,target/**,samples/**" + script: + - curl -L https://github.com/debricked/cli/releases/download/release-v2/cli_linux_x86_64.tar.gz | tar -xz debricked + - chmod +x debricked + - ./debricked scan --callgraph --prefer-npm -r "${DEBRICKED_REPO}" --access-token="${DEBRICKED_TOKEN}" . allow_failure: true diff --git a/devops-integrations/gitlab/fortify-dast-api-scancentral.yml b/devops-integrations/gitlab/fortify-dast-api-scancentral.yml new file mode 100644 index 0000000..4a571b8 --- /dev/null +++ b/devops-integrations/gitlab/fortify-dast-api-scancentral.yml @@ -0,0 +1,40 @@ +# Integrate Fortify ScanCentral Dynamic AppSec Testing (DAST) into your Gitlab CICD pipeline +# The following Gitlab environment variables must be defined before using this job +# - $_FCLI_DEFAULT_SSC_URL +# - $_FCLI_DEFAULT_SSC_USER +# - $_FCLI_DEFAULT_SSC_PASSWORD +# - $SSC_APP_VERSION_ID +# - $SC_DAST_API_SETTINGS + +fortify-dast-api: + image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17 + stage: test + needs: [deploy] + only: + variables: + - $CI_COMMIT_BRANCH == "main" + variables: + FCLI_DEFAULT_SSC_USER: $_FCLI_DEFAULT_SSC_USER + FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD + FCLI_DEFAULT_SSC_CI_TOKEN: $_FCLI_DEFAULT_SSC_CI_TOKEN + FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL + SC_DAST_API_SETTINGS: $SC_DAST_API_SETTINGS + SC_DAST_SCAN_NAME: "GitLab-Pipelines-API-Scan" + script: + - fcli ssc session login + - fcli sc-dast session login + + - fcli sc-dast scan start --name "$SC_DAST_SCAN_NAME" --settings $SC_DAST_API_SETTINGS --store=Id + - 'fcli sc-dast scan wait-for ::Id:: --interval=30s' + + - fcli ssc issue count --appversion=$SSC_APP_VERSION_ID + - fcli ssc action run gitlab-dast-report --appversion=$SSC_APP_VERSION_ID --page-size=1000 + + - fcli sc-dast session logout + - fcli ssc session logout + allow_failure: true + artifacts: + reports: + dast: gl-fortify-dast.json + expire_in: 3 days + when: always diff --git a/devops-integrations/gitlab/fortify-dast-fod.yml b/devops-integrations/gitlab/fortify-dast-fod.yml new file mode 100644 index 0000000..23a0af8 --- /dev/null +++ b/devops-integrations/gitlab/fortify-dast-fod.yml @@ -0,0 +1,39 @@ +# Integrate Fortify on Demand Dynamic AppSec Testing (DAST) into your Gitlab CICD pipeline +# The following Gitlab environment variables must be defined before using this job +# - $_FOD_RELEASE_ID +# - $_FCLI_DEFAULT_FOD_USER +# - $_FCLI_DEFAULT_FOD_PASSWORD +# - $_FCLI_DEFAULT_FOD_TENANT +# - $_FCLI_DEFAULT_FOD_URL +# Note: this assumes the FoD Release has already been configured for a DAST Automated Website scan + +fortify-dast: + image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17 + stage: test + needs: [deploy] + only: + variables: + - $CI_COMMIT_BRANCH == "main" + variables: + FCLI_DEFAULT_FOD_USER: $_FCLI_DEFAULT_FOD_USER + FCLI_DEFAULT_FOD_PASSWORD: $_FCLI_DEFAULT_FOD_PASSWORD + FCLI_DEFAULT_FOD_TENANT: $_FCLI_DEFAULT_FOD_TENANT + FCLI_DEFAULT_FOD_URL: $_FCLI_DEFAULT_FOD_URL + FOD_RELEASE_ID: $_FOD_RELEASE_ID + FOD_NOTES: "Triggered by Gitlab Pipeline IID $CI_PIPELINE_IID: $CI_PIPELINE_URL" + script: + - fcli fod session login + + - fcli fod dast start --release=$FOD_RELEASE_ID --store=Id + - 'fcli fod dast wait-for ::Id:: --interval=30s' + + - 'fcli fod issue list --release=$FOD_RELEASE_ID --filters-param "scanType:Dynamic+severty:Critical|High"' + - fcli fod action run gitlab-dast-report --release=$FOD_RELEASE_ID + + - fcli fod session logout + allow_failure: true + artifacts: + reports: + dast: gl-fortify-dast.json + expire_in: 3 days + when: always diff --git a/devops-integrations/gitlab/fortify-dast-web-scancentral.yml b/devops-integrations/gitlab/fortify-dast-web-scancentral.yml new file mode 100644 index 0000000..58d4eae --- /dev/null +++ b/devops-integrations/gitlab/fortify-dast-web-scancentral.yml @@ -0,0 +1,40 @@ +# Integrate Fortify ScanCentral Dynamic AppSec Testing (DAST) into your Gitlab CICD pipeline +# The following Gitlab environment variables must be defined before using this job +# - $_FCLI_DEFAULT_SSC_URL +# - $_FCLI_DEFAULT_SSC_USER +# - $_FCLI_DEFAULT_SSC_PASSWORD +# - $SSC_APP_VERSION_ID +# - $SC_DAST_WEB_SETTINGS + +fortify-dast-web: + image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17 + stage: test + needs: [deploy] + only: + variables: + - $CI_COMMIT_BRANCH == "main" + variables: + FCLI_DEFAULT_SSC_USER: $_FCLI_DEFAULT_SSC_USER + FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD + FCLI_DEFAULT_SSC_CI_TOKEN: $_FCLI_DEFAULT_SSC_CI_TOKEN + FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL + SC_DAST_WEB_SETTINGS: $SC_DAST_WEB_SETTINGS + SC_DAST_SCAN_NAME: "GitLab-Pipelines-Web-Scan" + script: + - fcli ssc session login + - fcli sc-dast session login + + - fcli sc-dast scan start --name "$SC_DAST_SCAN_NAME" --settings $SC_DAST_WEB_SETTINGS --store=Id + - 'fcli sc-dast scan wait-for ::Id:: --interval=30s' + + - fcli ssc issue count --appversion=$SSC_APP_VERSION_ID + - fcli ssc action run gitlab-dast-report --appversion=$SSC_APP_VERSION_ID --page-size=1000 + + - fcli sc-dast session logout + - fcli ssc session logout + allow_failure: true + artifacts: + reports: + dast: gl-fortify-dast.json + expire_in: 3 days + when: always diff --git a/devops-integrations/gitlab/fortify-fod-gate.yml b/devops-integrations/gitlab/fortify-fod-gate.yml new file mode 100644 index 0000000..555d3b6 --- /dev/null +++ b/devops-integrations/gitlab/fortify-fod-gate.yml @@ -0,0 +1,25 @@ +# Integrate Fortify on Demand Static Security Gate into your Gitlab CICD pipeline +# The following Gitlab environment variables must be defined before using this job +# - $_FOD_RELEASE_ID +# - $_FCLI_DEFAULT_FOD_USER +# - $_FCLI_DEFAULT_FOD_PASSWORD +# - $_FCLI_DEFAULT_FOD_TENANT +# - $_FCLI_DEFAULT_FOD_URL + +fortify-security-gate: + image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17 + stage: report + variables: + FCLI_DEFAULT_FOD_USER: $_FCLI_DEFAULT_FOD_USER + FCLI_DEFAULT_FOD_PASSWORD: $_FCLI_DEFAULT_FOD_PASSWORD + FCLI_DEFAULT_FOD_TENANT: $_FCLI_DEFAULT_FOD_TENANT + FCLI_DEFAULT_FOD_URL: $_FCLI_DEFAULT_FOD_URL + FOD_RELEASE_ID: $_FOD_RELEASE_ID + FOD_NOTES: "Triggered by Gitlab Pipeline IID $CI_PIPELINE_IID: $CI_PIPELINE_URL" + script: + - fcli fod session login + + - fcli fod action run release-summary --release=$FOD_RELEASE_ID + - fcli fod action run check-policy --release=$FOD_RELEASE_ID + + - fcli fod session logout diff --git a/devops-integrations/gitlab/fortify-sast-fod.yml b/devops-integrations/gitlab/fortify-sast-fod.yml index f72fd01..dc1d9e4 100644 --- a/devops-integrations/gitlab/fortify-sast-fod.yml +++ b/devops-integrations/gitlab/fortify-sast-fod.yml @@ -1,13 +1,16 @@ # Integrate Fortify on Demand Static AppSec Testing (SAST) into your Gitlab CICD pipeline # The following Gitlab environment variables must be defined before using this job -# - $FOD_RELEASE_ID -# - $FOD_USER -# - $FOD_PAT -# - $FOD_TENANT +# - $_FOD_RELEASE_ID +# - $_FCLI_DEFAULT_FOD_USER +# - $_FCLI_DEFAULT_FOD_PASSWORD +# - $_FCLI_DEFAULT_FOD_TENANT +# - $_FCLI_DEFAULT_FOD_URL +# Note: this assumes the FoD Release has already been configured fortify-sast: - image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17 + image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17 stage: test + needs: [build] variables: FCLI_DEFAULT_FOD_USER: $_FCLI_DEFAULT_FOD_USER FCLI_DEFAULT_FOD_PASSWORD: $_FCLI_DEFAULT_FOD_PASSWORD @@ -17,11 +20,14 @@ fortify-sast: FOD_NOTES: "Triggered by Gitlab Pipeline IID $CI_PIPELINE_IID: $CI_PIPELINE_URL" script: - fcli fod session login + - scancentral package -bt mvn -oss -o package.zip - fcli fod sast start --release=$FOD_RELEASE_ID --file=package.zip --remediation=NonRemediationScanOnly --notes="$FOD_NOTES" --store=Id - 'fcli fod sast wait-for ::Id:: --interval=30s' - - fcli fod issue list --release=$FOD_RELEASE_ID + + - 'fcli fod issue list --release=$FOD_RELEASE_ID --filters-param "scanType:Static+severty:Critical|High"' - fcli fod action run gitlab-sast-report --release=$FOD_RELEASE_ID + - fcli fod session logout allow_failure: true artifacts: diff --git a/devops-integrations/gitlab/fortify-sast-scancentral.yml b/devops-integrations/gitlab/fortify-sast-scancentral.yml index bad60df..f54b2be 100644 --- a/devops-integrations/gitlab/fortify-sast-scancentral.yml +++ b/devops-integrations/gitlab/fortify-sast-scancentral.yml @@ -5,11 +5,11 @@ # - $_FCLI_DEFAULT_SSC_URL # - $_FCLI_DEFAULT_SSC_USER # - $_FCLI_DEFAULT_SSC_PASSWORD -# - $_SSC_APP_VERSION_ID +# - $SSC_APP_VERSION_ID fortify-sast: stage: test - image: fortifydocker/fortify-ci-tools:5.4.1-jdk-17 + image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17 needs: [build] variables: SC_SAST_SENSOR_VERSION: 24.2 @@ -18,22 +18,19 @@ fortify-sast: FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD FCLI_DEFAULT_SSC_CI_TOKEN: $_FCLI_DEFAULT_SSC_CI_TOKEN FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL - SSC_APP_VERSION_ID: $_SSC_APP_VERSION_ID script: - fcli ssc session login - - fcli sc-sast session login - + - fcli sc-sast session login + - scancentral package -bt mvn -o package.zip - fcli sc-sast scan start --publish-to=$SSC_APP_VERSION_ID --sensor-version=$SC_SAST_SENSOR_VERSION --package-file=package.zip --store=Id - - 'fcli sc-sast scan wait-for ::Id:: --interval=30s' - - - fcli ssc issue count --appversion=$SSC_APP_VERSION_ID + - fcli ssc issue count --appversion=$SSC_APP_VERSION_ID - fcli ssc action run gitlab-sast-report --appversion=$SSC_APP_VERSION_ID --page-size=1000 - + - fcli sc-sast session logout - - fcli ssc session logout + - fcli ssc session logout allow_failure: true artifacts: reports: diff --git a/devops-integrations/gitlab/fortify-sca.yml b/devops-integrations/gitlab/fortify-sca.yml new file mode 100644 index 0000000..c62fc72 --- /dev/null +++ b/devops-integrations/gitlab/fortify-sca.yml @@ -0,0 +1,51 @@ +# Integrate Debricked software composition analysis into your Gitlab CICD pipeline +# The following Gitlab environment variables must be defined before using this job +# - $DEBRICKED_TOKEN +# - $DEBRICKED_REPO +# - $_FCLI_DEFAULT_SSC_URL +# - $_FCLI_DEFAULT_SSC_USER +# - $_FCLI_DEFAULT_SSC_PASSWORD +# - $SSC_APP_VERSION_ID + +debricked-scan: + image: maven:3.9-eclipse-temurin-11 + stage: test + needs: [build] + variables: + DEBRICKED_TOKEN: $DEBRICKED_TOKEN + DEBRICKED_EXCLUSIONS: "*.lock,*.json,*fingerprints*,target/**,samples/**" + script: + - curl -L https://github.com/debricked/cli/releases/download/release-v2/cli_linux_x86_64.tar.gz | tar -xz debricked + - chmod +x debricked + - ./debricked scan --callgraph --prefer-npm -r "${DEBRICKED_REPO}" --access-token="${DEBRICKED_TOKEN}" . + allow_failure: true + +fortify-sca: + image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17 + stage: test + needs: [debricked-scan] + variables: + FCLI_DEFAULT_SSC_USER: $_FCLI_DEFAULT_SSC_USER + FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD + FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL + script: + - fcli ssc session login + + - fcli ssc artifact import-debricked --appversion=$SSC_APP_VERSION_ID --debricked-access-token=$DEBRICKED_TOKEN --repository=$DEBRICKED_REPO --branch=$CI_COMMIT_BRANCH --save-sbom-as=debricked-sbom.json --store=Id + + - 'fcli ssc artifact wait-for ::Id:: --interval=30s' + + - fcli ssc action run appversion-summary --appversion=$SSC_APP_VERSION_ID + - fcli ssc action run gitlab-debricked-report --appversion=$SSC_APP_VERSION_ID + + - fcli ssc session logout + allow_failure: true + artifacts: + reports: + dependency_scanning: gl-fortify-debricked-depscan.json + #cyclonedx: debricked-sbom.json + paths: + - debricked-sbom.json + expire_in: 3 days + when: always + diff --git a/devops-integrations/gitlab/fortify-ssc-gate.yml b/devops-integrations/gitlab/fortify-ssc-gate.yml new file mode 100644 index 0000000..d0c1dfa --- /dev/null +++ b/devops-integrations/gitlab/fortify-ssc-gate.yml @@ -0,0 +1,23 @@ +# Integrate Fortify Software Security Center Gate into your Gitlab CICD pipeline +# The following Gitlab environment variables must be defined before using this job +# - $_FCLI_DEFAULT_SSC_CI_TOKEN +# - $_FCLI_DEFAULT_SSC_URL +# - $_FCLI_DEFAULT_SSC_USER +# - $_FCLI_DEFAULT_SSC_PASSWORD +# - $SSC_APP_VERSION_ID + +fortify-security-gate: + image: fortifydocker/fortify-ci-tools:5.5.0-jdk-17 + stage: report + variables: + FCLI_DEFAULT_SSC_USER: $_FCLI_DEFAULT_SSC_USER + FCLI_DEFAULT_SSC_PASSWORD: $_FCLI_DEFAULT_SSC_PASSWORD + FCLI_DEFAULT_SSC_CI_TOKEN: $_FCLI_DEFAULT_SSC_CI_TOKEN + FCLI_DEFAULT_SSC_URL: $_FCLI_DEFAULT_SSC_URL + script: + - fcli ssc session login + + - fcli ssc action run appversion-summary --appversion=$SSC_APP_VERSION_ID --filtersets="default" + - fcli ssc action run check-policy --appversion=$SSC_APP_VERSION_ID + + - fcli ssc session logout