New to Gitlab. Some doubts regarding Gitlab

How to Use GitLab
1

Hi All,

Just joined Gitlab community.
We use Bitbucket-Jenkins-Sonarqube-Nexus for our CI .
We heard Gitlab can replace all these tools.

So I did some research and still have few doubts.

  1. Can we invoke a sast for a code in third party repository?
  2. Can we publish a sast report( json / xml) from another tool in Gitlab.
  3. Can we expose the container registry ( I see it is embedded in Gitlab CI page) via http / https for others to access? .
  4. Can we have a Maven / helm / Nuget/ npm hosted repositories.?
  5. Can we have access control at SAST / container registry level.
  6. Can we have governance feature in SAST. like overall health of projects, branch analysis etc?
  7. Can we generate a report from SAST / DAST?

Thanks,
Vish

2

Hi Vish,

1.Yes, any git repo that can be mirrored into GitLab so the pipeline can access it https://docs.gitlab.com/ee/ci/ci_cd_for_external_repos/#gitlab-cicd-for-external-repositories-premium
2. Being worked.
3. Yes, but project either needs to be public or users have to validate credentials to get to containers
4. Maven, NPM and a few others now. Nuget and Helm are coming, I don’t have the issue handy to reference.
5. Not understanding the question
6. SAST works by scanning individual changes for vulnerabilities introduced. A commit on a branch undergoes SAST when the pipeline runs. There is a dashboard at the project and group level that shows the vunlerabilities.
7. The report is on the Merge Request or the Dashboard since that’s where the information is most valuable for making decisions about merging code.

-Steevo

1 Like
3

Hi Steevo,

Awesome. Thanks for the detailed info.
The fifth question was related to setting permission for SAST. eg : To view SAST reports only and nothing else.

We have a requirement of extracting reports as pdf and attaching it in the CR before going to production.

4

Hi Vish - what are you using for a CR tool? You should be able to set up a job in your pipeline that fetches the SAST JSON artifact from the artifact repo on the GitLab server, pipe the JSON through something like ./jq to pretty-print it and then pipe that to a PDF creator. If the CR tool has an API it may be possible to attach the PDF, too. I don’t have an example to share though.