Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gitlab osv-scanner #33

Open
jsqfengbao opened this issue Jul 13, 2024 · 9 comments
Open

gitlab osv-scanner #33

jsqfengbao opened this issue Jul 13, 2024 · 9 comments
Labels
enhancement New feature or request

Comments

@jsqfengbao
Copy link

If I want to use osv-scanner on gitlab, how do I configure the yml file? Is there a corresponding tool or plug-in that can be installed?
@oliverchang
Copy link
Contributor

We currently don't have support for GitLab unfortunately, but we'd be very happy to take contributions!

@jsqfengbao
Copy link
Author

We currently don't have support for GitLab unfortunately, but we'd be very happy to take contributions!

OK, I'd love to

@andrewpollock
Copy link
Contributor

https://docs.gitlab.com/ee/ci/migration/github_actions.html is probably relevant...

@andrewpollock andrewpollock added the enhancement New feature or request label Nov 7, 2024
@andrewpollock
Copy link
Contributor

Also https://about.gitlab.com/blog/2024/02/27/how-to-integrate-custom-security-scanners-into-gitlab/#tutorial-integrating-custom-security-scanners as surfaced in https://groups.google.com/g/osv-discuss/c/1zA5yRWJK9w

@H4x0rcr4x
Copy link

Also https://about.gitlab.com/blog/2024/02/27/how-to-integrate-custom-security-scanners-into-gitlab/#tutorial-integrating-custom-security-scanners as surfaced in https://groups.google.com/g/osv-discuss/c/1zA5yRWJK9w

Adding to this:

Integrating a security scanner, with results automatically presented in various places in GitLab, means ensuring the output is in a GitLab-specified format.

Integrating external security scanners into your DevSecOps workflow blog post provides an example of using a custom Synk and a script to convert the resulting JSON to the GitLab-specified format.

You can find the schemas for existing scanners here:

Container Scanning
Coverage Fuzzing
DAST
Dependency Scanning (this is likely the one that you will want to use for OSV-Scanner)
SAST
Secret Detection

Your output will need to adhere to one of these schemas. The docs provide further details on the available Report Fields in these schemas.

@H4x0rcr4x
Copy link

Let me know who I can send a boatload of ☕️🧋to for your help with making this a reality!
Thank you!!!

@H4x0rcr4x
Copy link

If I want to use osv-scanner on gitlab, how do I configure the yml file? Is there a corresponding tool or plug-in that can be installed?

I just posted how to do it in GitLab. I have had osv-scanner running in GitLab for a few months.

@cuixq
Copy link
Contributor

cuixq commented Nov 20, 2024

Thank you @H4x0rcr4x for sharing the configuration file!

@H4x0rcr4x
Copy link

H4x0rcr4x commented Nov 23, 2024
edited
Loading

@cuixq you're welcome.

Here is the updated configuration to enable osv-scanner in GitLab's .gitlab-ci.yml file.

#
# OSV scanner for vulnerabilities
#
osv_scanner:
  stage: test
  rules: 
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'  
  image:
    name: ghcr.io/google/osv-scanner:v1.9.1 # osv-scanner final v1 stable image
    entrypoint: [""] # Override entry point
  script: # osv-scanner recursively scans the project for dependencies
    - /osv-scanner --format json --call-analysis -r . > osv-scanner-report.json
  artifacts:
    paths:
      - osv-scanner-report.json
    expire_in: 7 days

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@oliverchang @H4x0rcr4x @andrewpollock @jsqfengbao @cuixq