Below is a write-up on steps to be followed to integrate Checkmarx with Gitlab CI/CD . There are 2 different approaches that can be followed. Below is a brief about both the platforms.
Gitlab — GitLab is an end-to-end software development platform with built-in version control, issue tracking, code review, CI/CD, and more.
Checkmarx — Checkmarx offers a Continuous Security deployment designed to allow operations, developers, DevOps and the security team to easily collaborate on security issues, ensuring security enables the SDLC and doesn’t slow it down.
Gitlab CI/CD — Checkmarx Integration:
When it comes to integration Gitlab with Checkmarx, the latter tool provides CxFlow — a spring boot application that enables initiations of scans and result orchestration. It is the main automation driving the GitLab and Checkmarx integration.
There are multiple ways to do this integration with Gitlab CI /CD. This can be referred at https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1929937052/GitLab+Integration
The below steps will walk through one of the implementation method done for integration CxSAST with Gitlab.
Step 1: Configure the environment variables for the application repository. Go to Application repository -> Settings -> CI /CD -> Variables and declare the variables as per the implementation.
It can be observed that the CX_FLOW_CONFIG is marked as ‘File’ Type as it’s required in the current implementation. The environment variables can be referred from https://docs.gitlab.com/ee/ci/variables/README.html#gitlab-cicd-environment-variables
https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1929937052/GitLab+Integration#CI%2FCD-Variables
As mentioned the implementation can be done in any method as per the organization’s requirement.
Step 2: Now navigate to the project’s gitlab-ci.yml file and add the checkmarx details. We have made a dedicated yml file for checkmarx and this is included in the gitlab-ci’s yml file.
Step 3: Add the checkmarx.yml file in the project repo’s root folder. This configuration options can be referred from https://docs.gitlab.com/ee/ci/yaml/README.html . This again needs to be configured as per the organization’s implementation.
Step 4: Once the configurations are in place, navigate to Project repo -> CI / CD -> Pipelines and run the pipeline. The pipeline is configured to run on every commit as well.
Step 5: Once the job is completed, the issues are configured to be reported in the Gitlab’s Issue tracker.
Job succeeded:
Issues tab:
Step 6: The issues can be addressed by the respective team and additional references such as vulnerability details, Checkmarx link to the vulnerable code snippet and recommendation fixes are provided for every vulnerability reported which makes easy for the team to gather the required details to fix the vulnerability.
Checkmarx — Gitlab Integration:
Checkmarx provides the option to integrate it with the Gitlab repository. This option can be used to conduct periodic scans, share the scan status, scan results and issue tracking as well. This option doesn’t support features like scan initiation whenever a developer makes a commit in the gitlab repository which is the downside of this integration option. Below are the steps that needs to be follow to enable this integration for any gitlab project.
Step 1: Create access token for the particular project which needs to be scanned. Login to the Gitlab portal -> select the project -> settings -> Access Tokens
Now create the access token for this particular gitlab project. Provide the required permissions for this token and create the project access token.
Step 2: Login to the Checkmarx CxSAST portal and select “Create new Project”. Provide the necessary details such as Project name, preset, Team, Configuration and scan policies and hit on “Next” button.
Step 3: This step requires the user to specify the source code location. Select “Source Control” option. In the ‘Repository URL’, enter the gitlab project repository’s URL: https://demo.gitlab.com/userid/project and select the ‘Authentication’ type as ‘Credentials’. Enter your username and provide the access token created in step 1 in the password field. Once all required details are in place, click on “Test Connection” and when the connection is successful the configuration can be saved.
Choose the folder from the project repository to be scanned.
Step 4: In this window, the scan schedule can be configured.
Step 5: The scan initiation, scan results and scan failure events can be configured to be sent to the intended users. Additionally, the issue tracking option can also be enabled.
Note: The issue tracking integration is a W.I.P and this will be updated later.
Step 6: In this tab, the number of scans for this particular project can be configured to be preserved.
Once all these steps are done, the scan will be performed as per the configuration made by the user.
