GitLab on Romano Roth

GitLab vs. GitHub: DevSecOps Pipeline

Wed, 28 Dec 2022 11:25:25 +0000

This video series will show you how to build up an enterprise-ready DevSecOps Pipeline with GitLab and GitHub and compare the two platforms.

GitLab DevSecOps Part 12: Our Recommendations and Lessons Learned

Wed, 16 Nov 2022 00:00:00 +0000

After eleven sessions building a full DevSecOps pipeline with GitLab — from Software Composition Analysis to Container Scanning, SAST, Secret Detection, DAST, merge request integration, and scheduled pipelines — Patrick Steger and I close the series with our recommendations. What worked, what tripped us up, and what we would tell anyone setting out to build the same pipeline today.

GitLab DevSecOps Part 11: Scheduled Pipelines for Production Code

Wed, 09 Nov 2022 00:00:00 +0000

Over ten sessions we wired six security tools into a GitLab pipeline that fires on every commit and every Merge Request. So are we done? Not quite. Code in production sits there for weeks or months, and during that time researchers keep finding new CVEs in the dependencies you are already shipping. In Part 11 of the GitLab DevSecOps series, Patrick Steger and I add a scheduled pipeline so the production branch gets re-scanned automatically — without anyone having to push a commit.

GitLab DevSecOps Part 10: How to Do a Merge Request the Right Way

Wed, 02 Nov 2022 00:00:00 +0000

In the previous nine sessions Patrick Steger and I built a GitLab DevSecOps pipeline that runs SAST, secret detection, software composition analysis, container scanning and DAST. Useful — but only if it actually catches issues before they reach the default branch. In Part 10 we close that loop: we wire the pipeline into Merge Requests so every change is scanned, the deltas against the default branch are visible, and approvals are required when new high or critical vulnerabilities appear.

GitLab DevSecOps Part 9: Overcoming Vulnerability Management Challenges

Wed, 12 Oct 2022 00:00:00 +0000

After eight sessions of adding scanners to our GitLab pipeline — SAST, secret detection, SCA, license compliance, container scanning, DAST — we now have a different problem. We have hundreds of vulnerability findings. In Part 9, Patrick Steger and I look at GitLab’s built-in Vulnerability Management: what it gives you, where it falls short, and how to actually triage findings without losing your mind.

GitLab DevSecOps Part 8: Dynamic Application Security Testing (DAST)

Wed, 05 Oct 2022 00:00:00 +0000

Everything we have done in the GitLab DevSecOps pipeline so far has been static — analysis of source code, dependencies, containers and configuration. In Part 8, Patrick Steger and I cross the line into Continuous Delivery and add Dynamic Application Security Testing. DAST means we deploy the application, start it, and then attack it from the outside with an automated penetration testing tool. GitLab ships this capability out of the box, powered by OWASP ZAP.

GitLab DevSecOps Part 7: Finding Secrets in Your Code with Secret Detection

Wed, 28 Sep 2022 00:00:00 +0000

Hard-coded passwords and API keys are still one of the most common ways credentials leak. They get committed by accident, stay in the git history forever, and only show up when someone is already exploiting them. In Part 7 of our GitLab DevSecOps series, Patrick Steger and I add Secret Detection to the same pipeline we have been growing — one line of YAML — and then look at what GitLeaks actually finds, what it quietly misses, and what to do about it.

GitLab DevSecOps Part 6: How to Use Container Scanning

Tue, 06 Sep 2022 00:00:00 +0000

We have already wired SAST, secret detection, and software composition analysis into the GitLab pipeline. Those checks cover the source code and its dependencies — but the artifact we actually ship is a container image. Operating system packages, the base image, and everything copied in along the way can carry vulnerabilities of their own. In Part 6 of our series, Patrick Steger and I add container scanning to the pipeline, build a Docker image from the jar we compiled earlier, and push it through Trivy and Grype.

GitLab DevSecOps Part 5: Static Application Security Testing (SAST)

Wed, 31 Aug 2022 00:00:00 +0000

Software composition analysis takes care of the libraries you pull in. But what about the code your own team writes? That is where Static Application Security Testing comes in. In Part 5 of our GitLab DevSecOps series, Patrick Steger and I add SAST to the pipeline, plant a few realistic vulnerabilities in our Spring Boot sample, and watch GitLab pick them up.

GitLab DevSecOps Part 4: How to Ensure License Compliance

Wed, 24 Aug 2022 00:00:00 +0000

You ship a Java application that depends on Spring Boot, which depends on dozens of other libraries, each with its own license — and most teams cannot tell you what those licenses actually are. In Part 4 of our GitLab DevSecOps series, Patrick Steger and I add license compliance to the pipeline so the question is answered automatically on every commit. The good news: with GitLab Ultimate, this is one template line away.

GitLab DevSecOps Part 3: Software Composition Analysis with Gemnasium

Wed, 17 Aug 2022 00:00:00 +0000

Your code is the small part. The libraries you pull in are the big part — and that is where most of your CVEs live. In Part 3 of the GitLab DevSecOps series, Patrick Steger and I bring up a tiny Spring Boot demo, wire it into a GitLab pipeline, and then add Software Composition Analysis with a single include line.

GitLab DevSecOps Part 1: What Is GitLab and Why Shift Security Left?

Wed, 10 Aug 2022 00:00:00 +0000

Why does security still get bolted on at the end of the development process, and how do we move it earlier without slowing teams down? In Part 1 of our GitLab DevSecOps series, Patrick Steger and I set the stage: what GitLab is, what shifting security left really means, and which CI/CD concepts you have to understand before you can build a DevSecOps pipeline that actually works.

GitLab DevSecOps Part 2: Creating a Simple Project and Your First Pipeline

Wed, 10 Aug 2022 00:00:00 +0000

Before we can shift any security checks left, we need a project, a repository, and a pipeline that actually builds something. In Part 2 of our GitLab DevSecOps series, Patrick Steger and I log into GitLab, create a new .NET Core project from a template, and look at the .gitlab-ci.yml file that GitLab generates for us — including the build and test jobs that will become the foundation for everything we add later.