What is the best way to use or integrate fortify into the .gitlab-ci.yml?
There are multiple ways of achieving this. But it all depends on your current and expected usage of the Fortify components.
- Install Fortify in a location that is accessible via the GitLab Runner. This can be either on the same machine as the Runner if the Runner is configured with a Shell Executor, or be in a Docker container if Fortify now supports that.
- Have ability to upload results of the scan (.fpr) file to the Software Security Center (SSC) component in order to process the results.
- Have ability to extract the results from SSC into a file in JSON format and upload that back to GitLab as the artifact to keep in GitLab.
Setup of .gitlab-ci.yml:
- In the Test phase, add your sourceanalyzer command with the appropriate switches and GitLab CI variables as appropriate.
- Insert a fortifyclient command with appropriate references to the SSC url and the FPR file
- Insert a wait step for some time as needed to process the results in SSC - could take long if there are a lot of findings.
- Insert a step to curl results from the fortify api (most likely ApiResultListProjectVersionIssueDetails) to gather all the findings in JSON output and pipe them to output file.
- Make the output file as the artifact that is tied to the job and the runner will automatically upload it back into GitLab.
There is new API in GitLab that provides the ability to upload the results so that they show up in the GitLab Security Dashboard; That dashboard has the ability to create an issue or dismiss vulnerabilities directly and can really help with the overall security fix cycle-times.
Hope this helps.
Thank you, I will check this out to see how it works out for me.