Gitlab CI/CD Component

Overview

This Gitlab CI/CD component integrates Sec1 to conduct vulnerability scans on your Gitlab projects. Sec1 is a powerful tool that helps identify security vulnerabilities within your codebase.

Obtaining your Sec1 API Key

To use Sec1 in your workflow, you need to obtain an API key. Follow these steps:

  1. Navigate to Sec1 Website:

    • Visit Sec1 portal and log in using your SCM credentials.

  2. Generate API Key:

    • In the "Settings" section, locate the "API key" and click on "Generate API key."

  3. Copy the API Token:

    • Copy the generated API token.

  4. Add API Key in Gitlab Project Environment Variables:

    • Add the copied API key to your Gitlab Project as Environment Vairable . Refer to Gitlab's documentation for creating environment variable at project level.

    • Use the key as SEC1_API_KEY. In the value field, copy the Sec1 API token.

    Sec1 recommends masking the variable and, if you use protected variables, protecting it.

Example Workflow

Scan with Sec1 Security

Below is an example of using the Sec1 Security component in your Gitlab CICD pipeline. This example runs the Sec1 scan in test stage.

In your repository, create .gitlab-ci.yml. Copy below code in .gitlab-ci.yml file to add Sec1 Security.

include:
  - component: gitlab.com/sec0ne/sec1-security/sec1-security@v1.0.1

Customizing Scan Thresholds for Sec1 Security

Sec1 scan supports setting up threshold values. If the scan reports vulnerabilities exceeding the specified thresholds, Sec1 Security will mark the build as failed. You can set threshold values for different severities such as critical, high, medium, and low.

You can configure threshold at Gitlab project level, set an environment variable SEC1_SCAN_THRESHOLD as key and in the value you can use one severity keys to define threshold.

Example :

In your repository, create .gitlab-ci.yml. Copy below code in .gitlab-ci.yml file to add Sec1 Security.

include:
  - component: gitlab.com/sec0ne/sec1-security/sec1-security@v1.0.1

Now, your Gitlab project is set up to leverage Sec1 for continuous security checks in your projects.

Last updated