What is the best way to use or integrate fortify into the .gitlab-ci.yml?
There are multiple ways of achieving this. But it all depends on your current and expected usage of the Fortify components.
Basic Requirements:
- Install Fortify in a location that is accessible via the GitLab Runner. This can be either on the same machine as the Runner if the Runner is configured with a Shell Executor, or be in a Docker container if Fortify now supports that.
- Have ability to upload results of the scan (.fpr) file to the Software Security Center (SSC) component in order to process the results.
- Have ability to extract the results from SSC into a file in JSON format and upload that back to GitLab as the artifact to keep in GitLab.
Setup of .gitlab-ci.yml:
- In the Test phase, add your sourceanalyzer command with the appropriate switches and GitLab CI variables as appropriate.
- Insert a fortifyclient command with appropriate references to the SSC url and the FPR file
- Insert a wait step for some time as needed to process the results in SSC - could take long if there are a lot of findings.
- Insert a step to curl results from the fortify api (most likely ApiResultListProjectVersionIssueDetails) to gather all the findings in JSON output and pipe them to output file.
- Make the output file as the artifact that is tied to the job and the runner will automatically upload it back into GitLab.
Bonus:
There is new API in GitLab that provides the ability to upload the results so that they show up in the GitLab Security Dashboard; That dashboard has the ability to create an issue or dismiss vulnerabilities directly and can really help with the overall security fix cycle-times.
Hope this helps.
Thank you, I will check this out to see how it works out for me.