Securing Code with GitLab Dependency Scanning

Introduction

GitLab is a web-based platform that provides tools for version control and source code management. It allows software developers to coordinate projects, track code changes, and manage the entire development lifecycle. GitLab offers features such as code repositories, issue tracking, continuous integration and continuous deployment (CI/CD) pipelines, code reviews, wikis, and more. It is often used as an alternative to GitHub. 

In software development, it is necessary to prioritize the security of your code, but we often overlook one aspect of security i.e., managing and securing dependencies. 

Third-party libraries and packages can introduce vulnerabilities into your application, leading to potential security breaches and data leaks. GitLab offers a solution to solve this challenge through its Dependency Scanning feature.

Problem Statement

Software projects commonly rely on external libraries and frameworks to accelerate development and enhance functionality. These dependencies can boost productivity but can also introduce vulnerabilities that compromise the security of your application. Developers might not always be aware of the potential risks posed by the libraries they include. The problem becomes challenging when we don’t have the right tools to find these problems automatically.

Solution: Gitlab Dependency Scanning

GitLab’s Dependency Scanning addresses this problem head-on by automatically identifying and alerting developers about vulnerabilities in their project’s dependencies. This feature analyzes the dependencies declared in your project’s manifest files (such as package.json for JavaScript, Gemfile.lock for Ruby, and requirements.txt for Python) and cross-references them against a comprehensive database of known vulnerabilities.

How GitLab Dependency Scanning Works:

1. Scanning Process: When a developer pushes new code to a GitLab repository or opens a merge request, the Dependency Scanning process is triggered as part of GitLab’s CI/CD pipeline.
2. Dependency Analysis: The Dependency Scanning tool extracts the dependency information from the manifest files and queries a vulnerability database, which contains information about known vulnerabilities associated with each library or package.
3. Identification and Reporting: If any vulnerabilities are detected, GitLab presents the findings in an easy-to-understand format within the merge request or pipeline interface. Each vulnerability is assigned a severity level, helping developers prioritize which issues to address first.
4. Actionable Insights: Developers are provided with information about the specific vulnerability, including a description, impact, and recommended mitigation steps.

Supported Languages in GitLab dependency scanning :

It supports the following languages

• .NET
• C#
• C
• C++
• GO
• JAVA & KOTLIN
• JAVASCRIPT & TYPESCRIPT
• PHP
• PYTHON
• RUBY 
• SCALA

Requirements

Dependency Scanning runs in the test stage, which is available by default. If you redefine the stages in the .gitlab-ci.yml file, the test stage is required.

To run dependency scanning jobs, by default, you need GitLab Runner with the docker or kubernetes executor. If you’re using the shared runners on GitLab.com, this is enabled by default. The analyzer images provided are for the Linux/amd64 architecture.

Steps to configure dependency scanning in GitLab CI/CD

Dependency Scanning automatically detects the languages used in the repository. All the analyzers matching the detected languages are run automatically; hence, there is no need to configure analyzers.

1. There should be a test stage in the pipeline

2. Add the following to your .gitlab-ci.yml file:

- template: Security/Dependency-Scanning.gitlab-ci.yml

3. The included template will create a dependency_scanning job in your CI/CD pipeline and scan your project’s source code for possible vulnerabilities.

4. To override a job definition (for example, to change properties like variables or dependencies), declare a new job with the same name as the one to override. Place this new job after the template inclusion and specify any additional keys under it. For example, this includes a rule that it will run only on the main branch. #override the dependency scanning job

gemnasium-dependency_scanning:

- if: $CI_COMMIT_BRANCH == "main"

1. This will check our repository code for vulnerability and upload gl-dependency-scanning-report.json file in the artifact section of Gitlab CI/CD.
2. After finding vulnerabilities in the gl-dependency-scanning-report.json file, developers have to fix it and rerun the pipeline to check again.

Debugging

The dependency scanning job fails in a project containing a valid requirements.txt file (python project) but doesn’t produce any useful output for why the job failed, simply “exit status 1”. 

Try installing the required package in before_script of gemnasium-python-dependency_scanning

gemnasium-python-dependency_scanning:
    image: registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python:2-python-3.9
    before_script:
    - apt-get -qqy update && apt-get install -qqy libpq-dev python-dev

Conclusion

GitLab’s Dependency Scanning is an important tool for software development, it helps in the identification and mitigation of security vulnerabilities introduced by third-party dependencies. By automating the scanning process and providing actionable insights, GitLab empowers developers to proactively address potential security risks, ensuring that code security remains a top priority throughout the development lifecycle. Embracing Dependency Scanning as part of your DevOps strategy can lead to more secure and robust software applications that stand up to the ever-evolving threat landscape.