I have integrated some security scanners in my pipeline as below.
Build->Security scan->Deploy->...
As we know, there are always vulnerabilities in real case with different severity. I would like to stop the pipeline from processing next stage when there are issues in HIGH or MEDIUM severity. And ignore when there are issues only in LOW or UNKNOWN.
Is it possible in GitLab CI? If do, are there any documents or examples?
Thanks!!!
If the vulnerability tool gives you some output you can process, use some shell script or another tool to process the results and determine if that pipeline should fail or continue (throwing exit 1 will tell GitLab it failed).
Another route may be to create a custom processor with integration into GitLab’s test results framework, but that seems way more complicated.
If I am using the tools provided by GitLab, such as SAST, Container Scanning…etc, Can I use shell script for checking the severity of different vulnerability?
I would like to stop the pipeline from processing next stage when there are issues in HIGH or MEDIUM severity.
This feature was recently discussed but postponed, so there is currently no way to do this out of the box.
ignore when there are issues only in LOW or UNKNOWN.
The analyzers have different options but, for the ones that do support something like this, you could set it to the desired level and, after the scan is complete, check the report to see if contains any findings (e.g. using jq to count the array of findings). If it has >0 entries, fail the job/pipeline.
For example, for the container scanning analyzer, you can set the CS_SEVERITY_THRESHOLD variable to medium.
This would cause the anything below medium severity to not be reported by the analyzer, which means any entries in the json report will be medium and above.
I hope this helps.