Gitlab CI/CD AppSec Tool Integration

Rapticore can act as your vulnerability management tool by accepting SAST / DAST reports produced by almost any AppSec tool. It offers a very powerful api which you can use to fully integrate with your CI/CD pipeline to import your scanners reports into Rapticore.

Setup

Setup involves:

  1. Creating a user with API role in Rapticore.
  2. Configuring GitLab CI/CD to run an AppSec tool and export the report.
  3. Upload the report to Rapticore using api.

GitLab privileges

You must have GitLab rights to manage CI / CD pipeline, add environment variables and new tasks in pipeline.

Rapticore privileges

You must have an Admin role to create user in Rapticore.

Creating a user with API role in Rapticore

  1. Login to Rapticore as an admin user and navigate to the Manage > "Users and Roles" page.
  2. Click "New User" in the top right corner.
  3. Add the required details with a valid email address.
1708
  1. You will get an invitation email with login credentials on this email address.
  2. You must login with these credentials and change your password / verify email address. This step is necessary so that you can easily login with these credentials to connect to Rapticore API.

Configuring GitLab CI/CD to run an AppSec tool and export the report

  1. In your Gitlab project, Go to Settings -> CI/CD.
2910
  1. Click on Expand button in "variables" section. You will see a list of existing variables.
  2. Click on "Add Variable" under this list. A dialog will open where you can enter the key and value for the variable.
  3. You need to create two variables i.e., RAPTICORE_USERNAME and RAPTICORE_PASSWORD with the username and password for user created above with API role.
1550

These variables will be required to fetch access token to communicate with Rapticore API.

Upload the report to Rapticore using API

  1. In your Gitlab CI / CD pipeline, add a task for running a scanner. Task will export a report as an artifact. This report will be uploaded to Rapticore.
  2. For uploading the report you can utilize a script provided below.
  3. This script required following environment variables to be set in your gitlab-ci.yml file or in the GitLab UI.:
VariableMandatoryDefaultDescription
RAPTICORE_USERNAMEYesnullUsername of user with API role created in Rapticore
RAPTICORE_PASSWORDYesnullPassword of user with API role created in Rapticore
RAPTICORE_URLYesnullURL of your Rapticore installation (https://example.rapticore.io)
RAPTICORE_APPLICATION_IDYesnullUUID of the application to which this report will be associated in Rapticore. You can find this id by opening detail page of an application in rapticore
RAPTICORE_APPLICATION_NAMEYesnullName of the application to which this report will be associated in Rapticore. You can find this name by opening detail page of an application in rapticore
SCAN_TYPEYesnullThis depends on the tool being run by you in pipeline. You can get a list of supported scan types by running the curl command provided below
SCAN_FILEYesnullName of the file generated by AppSec tool.
  1. To get a list of supported scan types:
    a. Get an access token:
curl --location --request POST 'https://example.rapticore.io/api/authenticate' \
--header 'Content-Type: application/json' \
--data-raw '{
    "username": "<RAPTICORE_USERNAME>",
    "password": "<RAPTICORE_PASSWORD>"
}'

b. Get the list of supported sources. Replace <ACCESS_TOKEN> with the token obtained from command above.

curl --location --request GET 'https://example.rapticore.io/api/vulnerability/scanTypes' \
--header 'Authorization: <ACCESS_TOKEN>'
  1. For uploading the report use script provided below. You can include this script in a task or modify it as per your requirement. You may have to modify the script depending upon whether you are using shell or docker-in-docker runner and depending upon the location where report file is generated by the tool.
    Script below expects the reports to be in tests/dependency-check/ directory.

πŸ“˜

Linux Script

Use the following for Linux systems.

#!/usr/bin/env sh
apk add coreutils file
cd tests/dependency-check/
ls -al
# Get the access token from Rapticore
echo "Using username $RAPTICORE_USERNAME"
TOKEN=`curl --location --request POST "${RAPTICORE_URL}/api/authenticate" \
 --header 'Content-Type: application/json' \
 --data-raw "{ \"username\": \"$RAPTICORE_USERNAME\",  \"password\": \"$RAPTICORE_PASSWORD\" }" | jq -r '.accessToken'`
echo "Token"
echo $TOKEN
# Pipe the base64 encoded content of attached_file
(echo "data:"; file --mime-type -b $SCAN_FILE; echo ";base64") | base64 --wrap=0 "$SCAN_FILE" |
# into jq to make it a proper JSON string within the
# JSON data structure
jq --slurp --raw-input --arg FileName "$SCAN_FILE" --arg ScanType "$SCAN_TYPE" \
  --arg ApplicationId "$RAPTICORE_APPLICATION_ID" --arg ApplicationName "$RAPTICORE_APPLICATION_NAME" \
'{
    "scanType": $ScanType, 
    "applicationId": $ApplicationId,
    "applicationName": $ApplicationName, 
    "minimumSeverity": "Low", 
    "file": { 
        "fileName": $FileName , 
        "fileData": .
    } 
}
' | 
# Get the resultant JSON piped into curl
# that will read the data from the standard input
# using -d @-
curl -d @- --location --request POST "$RAPTICORE_URL/api/vulnerability/import-scan/" \
 --header "Authorization: $TOKEN" \
 --header "Content-Type: application/json" \

πŸ“˜

Mac OSX script

Use the following script for Mac OSX.

#!/usr/bin/env sh
apk add coreutils file
cd tests/dependency-check/
ls -al
# Get the access token from Rapticore
echo "Using username $RAPTICORE_USERNAME"
TOKEN=`curl --location --request POST "${RAPTICORE_URL}/api/authenticate" \
 --header 'Content-Type: application/json' \
 --data-raw "{ \"username\": \"$RAPTICORE_USERNAME\",  \"password\": \"$RAPTICORE_PASSWORD\" }" | jq -r '.accessToken'`
echo "Token"
echo $TOKEN
# Pipe the base64 encoded content of attached_file
(echo "data:"; file --mime-type -b $SCAN_FILE; echo ";base64") | base64 -i "$SCAN_FILE |
# into jq to make it a proper JSON string within the
# JSON data structure
jq --slurp --raw-input --arg FileName "$SCAN_FILE" --arg ScanType "$SCAN_TYPE" \
  --arg ApplicationId "$RAPTICORE_APPLICATION_ID" --arg ApplicationName "$RAPTICORE_APPLICATION_NAME" \
'{
    "scanType": $ScanType, 
    "applicationId": $ApplicationId,
    "applicationName": $ApplicationName, 
    "minimumSeverity": "Low", 
    "file": { 
        "fileName": $FileName , 
        "fileData": .
    } 
}
' | 
# Get the resultant JSON piped into curl
# that will read the data from the standard input
# using -d @-
curl -d @- --location --request POST "$RAPTICORE_URL/api/vulnerability/import-scan/" \
 --header "Authorization: $TOKEN" \
 --header "Content-Type: application/json" \

This script performs the following steps:

  1. Authenticates with rapticore to obtain the access token.
  2. Encodes the file using base64 and uploads to rapticore.

πŸ“˜

Findings in Rapticore

Once the report is uploaded, you can view the findings on "Findings" page in Rapticore.
You can manage their remediation by assigning task in JIRA through JIRA integration setup in rapticore.
Do let us know if you face any issues.

Updated over 1 year ago