Hello to anyone out there.
Quick question: Do we need the Enterprise edition to perform secret detection or use Static Application Security Testing (SAST)? If we do, is there any open source tool we can use to scan our full Community edition GitLab repo?
Hi @sereneoh12
SAST and Secret Detection are available in Free version. You don’t get the nice UI features that comes with Ultimate. But you will get the reports as JSON files in job/pipeline artifacts.
Thank you for the reply. For full repo scan, are they only available starting 13.5 of the free version? We are currently on 13.4.
Does it matter if we use habor registry to store our image instead of gitlab?
It is available since 13.3.
I don’t understand your image question, SAST and Secret Detection scan your source code. They don’t deal with container images.
Yes. Thank you, Balonik.
From the documentation, we saw that the scan is only available for repo with multiple projects starting version 13.7. We will have to be at the version to perform the full repo history scan.
We have another issue whereby we do not have pipeline set to all our GitLab projects (over hundreds of them), without it, we will not be able to perform the scan too.
Pardon me about the image question. Yes, it should not be a concern on which image registry we use.
Adding to my question if anyone out where can help advise.
The current SAST and Secret Detection seemed to be only available for projects with pipeline setup. We are a total of close to 2K project in our GitLab Env.
As we are in the progress of moving towards CICD, we currently have only a couple projects which has CICD pipeline… However, we will want to perform a scan on the whole Repo of 1K projects. any idea of we can best do this without setting up a pipeline for the 2k projects?
You can try to download and use GitHub - zricethezav/gitleaks: Scan git repos (or files) for secrets using regex and entropy 🔑 directly on GitLab server and scan the (for Omnibus) /var/opt/gitlab/git-data/repositories.