Integrating GitLab-CI with DefectDojo

OWASP DefectDojo

During the search for a tool which could help me to visualize the results of my scanners, while integrating all of them easily, I stumbled upon DefectDojo in the OWASP Project list.

GitLab-CI integration

Since I heavily use GitLab-CI I will integrate the DefectDojo API with a pipeline there.

variables:
DEFECTDOJO_ENGAGEMENT_PERIOD: 7
DEFECTDOJO_ENGAGEMENT_STATUS: "Not Started"
DEFECTDOJO_ENGAGEMENT_BUILD_SERVER: "null"
DEFECTDOJO_ENGAGEMENT_SOURCE_CODE_MANAGEMENT_SERVER: "null"
DEFECTDOJO_ENGAGEMENT_ORCHESTRATION_ENGINE: "null"
DEFECTDOJO_ENGAGEMENT_DEDUPLICATION_ON_ENGAGEMENT: "false"
DEFECTDOJO_ENGAGEMENT_THREAT_MODEL: "true"
DEFECTDOJO_ENGAGEMENT_API_TEST: "true"
DEFECTDOJO_ENGAGEMENT_PEN_TEST: "true"
DEFECTDOJO_ENGAGEMENT_CHECK_LIST: "true"
DEFECTDOJO_NOT_ON_MASTER: "false"
defectdojo_create_engagement:
stage: .pre
image: alpine
variables:
GIT_STRATEGY: none
rules:
- if: '$DEFECTDOJO_NOT_ON_MASTER == "true" && $CI_COMMIT_BRANCH == "master"'
when: never
- when: always
before_script:
- apk add curl jq coreutils
- TODAY=`date +%Y-%m-%d`
- ENDDAY=$(date -d "+${DEFECTDOJO_ENGAGEMENT_PERIOD} days" +%Y-%m-%d)
script:
- |
ENGAGEMENTID=`curl --fail --location --request POST "${DEFECTDOJO_URL}/engagements/" \
--header "Authorization: Token ${DEFECTDOJO_TOKEN}" \
--header 'Content-Type: application/json' \
--data-raw "{
\"tags\": [\"GITLAB-CI\"],
\"name\": \"#${CI_PIPELINE_ID}\",
\"description\": \"${CI_COMMIT_DESCRIPTION}\",
\"version\": \"${CI_COMMIT_REF_NAME}\",
\"first_contacted\": \"${TODAY}\",
\"target_start\": \"${TODAY}\",
\"target_end\": \"${ENDDAY}\",
\"reason\": \"string\",
\"tracker\": \"${CI_PROJECT_URL}/-/issues\",
\"threat_model\": \"${DEFECTDOJO_ENGAGEMENT_THREAT_MODEL}\",
\"api_test\": \"${DEFECTDOJO_ENGAGEMENT_API_TEST}\",
\"pen_test\": \"${DEFECTDOJO_ENGAGEMENT_PEN_TEST}\",
\"check_list\": \"${DEFECTDOJO_ENGAGEMENT_CHECK_LIST}\",
\"status\": \"${DEFECTDOJO_ENGAGEMENT_STATUS}\",
\"engagement_type\": \"CI/CD\",
\"build_id\": \"${CI_PIPELINE_ID}\",
\"commit_hash\": \"${CI_COMMIT_SHORT_SHA}\",
\"branch_tag\": \"${CI_COMMIT_REF_NAME}\",
\"deduplication_on_engagement\": \"${DEFECTDOJO_ENGAGEMENT_DEDUPLICATION_ON_ENGAGEMENT}\",
\"product\": \"${DEFECTDOJO_PRODUCTID}\",
\"source_code_management_uri\": \"${CI_PROJECT_URL}\",
\"build_server\": ${DEFECTDOJO_ENGAGEMENT_BUILD_SERVER},
\"source_code_management_server\": ${DEFECTDOJO_ENGAGEMENT_SOURCE_CODE_MANAGEMENT_SERVER},
\"orchestration_engine\": ${DEFECTDOJO_ENGAGEMENT_ORCHESTRATION_ENGINE}
}" | jq -r '.id'`
- echo "DEFECTDOJO_ENGAGEMENTID=${ENGAGEMENTID}" >> defectdojo.env
artifacts:
reports:
dotenv: defectdojo.env
  • DEFECTDOJO_URL
  • DEFECTDOJO_TOKEN
  • DEFECTDOJO_PRODUCTID
include:
- template: Security/SAST.gitlab-ci.yml
stages:
- build
- packaging
- test
- deploy
sast:
artifacts:
paths:
- gl-sast-report.json
defectdojo_publish_gitlab_sast:
stage: .post
needs: ["defectdojo_create_engagement", "spotbugs-sast"]
image: alpine
allow_failure: true
variables:
DEFECTDOJO_SCAN_MINIMUM_SEVERITY: "Info"
DEFECTDOJO_SCAN_ACTIVE: "true"
DEFECTDOJO_SCAN_VERIFIED: "true"
DEFECTDOJO_SCAN_CLOSE_OLD_FINDINGS: "true"
DEFECTDOJO_SCAN_PUSH_TO_JIRA: "false"
DEFECTDOJO_SCAN_ENVIRONMENT: "Default"
DEFECTDOJO_ANCHORE_DISABLE: "false"
DEFECTDOJO_SCAN_TEST_TYPE: "GitLab-CI Spotbugs"
before_script:
- apk add curl coreutils
- TODAY=`date +%Y-%m-%d`
script:
- |
curl --fail --location --request POST "${DEFECTDOJO_URL}/import-scan/" \
--header "Authorization: Token ${DEFECTDOJO_TOKEN}" \
--form "scan_date=\"${TODAY}\"" \
--form "minimum_severity=\"${DEFECTDOJO_SCAN_MINIMUM_SEVERITY}\"" \
--form "active=\"${DEFECTDOJO_SCAN_ACTIVE}\"" \
--form "verified=\"${DEFECTDOJO_SCAN_VERIFIED}\"" \
--form "scan_type=\"${DEFECTDOJO_SCAN_TYPE}\"" \
--form "engagement=\"${DEFECTDOJO_ENGAGEMENTID}\"" \
--form "file=@${DEFECTDOJO_SCAN_FILE}" \
--form "close_old_findings=\"${DEFECTDOJO_SCAN_CLOSE_OLD_FINDINGS}\"" \
--form "push_to_jira=\"${DEFECTDOJO_SCAN_PUSH_TO_JIRA}\"" \
--form "test_type=\"${DEFECTDOJO_SCAN_TEST_TYPE}\"" \
--form "environment=\"${DEFECTDOJO_SCAN_ENVIRONMENT}\""
rules:
- if: '$DEFECTDOJO_NOT_ON_MASTER == "true" && $CI_COMMIT_BRANCH == "master"'
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /spotbugs/
when: never
- if: $SAST_DEFAULT_ANALYZERS =~ /mobsf/ &&
$SAST_EXPERIMENTAL_FEATURES == 'true'
exists:
- '**/AndroidManifest.xml'
when: never
- if: $SAST_DISABLED
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /spotbugs/
exists:
- '**/*.groovy'
- '**/*.java'
- '**/*.scala'

Example Code

In the following repository you’ll find a working example which includes all GitLab SAST scans and in addition to that I have added Anchore Engine, since I often use it.

Links

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Stefan Steinert

Stefan Steinert

System Operator and DevOPs Architect since childhood