Gitlab
https://github.com/CodeThreat/codethreat-gitlab-plugin
Integrating CodeThreat with GitLab allows you to perform automatic security scans within your GitLab CI/CD workflows. This integration is configured via the .gitlab-ci.yml
file, ensuring your project is continuously analyzed for security. Below is a detailed guide on how to configure CodeThreat integration for GitLab:
CodeThreat Integration for GitLab
Setup Steps
Creating the YAML File: Begin by creating a
.gitlab-ci.yml
file in your projects. This file defines your GitLab CI/CD workflows.
include:
- 'https://raw.githubusercontent.com/CodeThreat/codethreat-gitlab-plugin/main/templates/codethreat.gitlab-ci.yaml'
variables:
GITLAB_ACCESS_TOKEN: "$GITLAB_ACCESS_TOKEN"
GITLAB_USER_LOGIN: "$GITLAB_USER_LOGIN"
GITLAB_BASE_URL: "https://gitlab.com"
# Codethreat specific variables
CT_BASE_URL: "$CT_BASE_URL" # SAST Center base URL
CT_TOKEN: "$CT_TOKEN" # USER API token
CT_ORGANIZATION: "codethreat" # Organization Name
FAILED_ARGS: '{}'
This configuration automates your security scans using the CodeThreat GitLab Plugin. The include
key incorporates a template file provided by CodeThreat into your project.
Configuring Variables: In the
variables
section, define variables specific to GitLab and CodeThreat. These variables should be securely added in the Settings > CI / CD > Variables section of your GitLab group.

Failure Conditions(FAILED_ARGS)
Details of FAILED_ARGS: This JSON object determines when the workflow will be considered a failure based on the scan results. For instance, you can stop the workflow if a certain number of critical or high importance findings are detected or if specific types of vulnerabilities are found.
FAILED_ARGS: '{
"max_number_of_critical":5,
"max_number_of_high":4,
"weakness_is":".*injection",
"condition":"OR",
"sync_scan":true,
"policy_name":"Advanced Security",
"sca_max_number_of_critical":5,
"sca_max_number_of_high":4,
}'
Max Number High/Critical: max_number_of_critical and max_number_of_high, in SAST scans, this causes the workflow to fail if a certain number of critical or high importance findings are detected. sca_max_number_of_critical and sca_max_number_of_high, specifies the limits for the number of critical and high importance findings for SCA (Software Composition Analysis) findings. This works in a similar way to the criteria you set for SAST scans.
Weakness Is: Stops the workflow if weaknesses of a certain type are found. For example, “.*injection” or ".*injection,buffer.over.read,mass.assigment”
Condition : The AND or OR values determine how multiple fail_args conditions are evaluated. AND requires all conditions to be met, while OR requires any one of them to be met to stop the workflow.
Auto Merge : If set to true and the process is triggered as a result of a merge request, the merge request is automatically accepted when the workflow is successful.
— In addition
Sync Scan : When set to false, the workflow continues without waiting for scan results. This can be useful, especially in situations where scan processes take a long time.
Policy Name: Determines under which security policy the scan will be conducted. The default is "Advanced Security," but different policies can also be selected.
This configuration and explanations offer a basic guide on how to set up integration with CodeThreat and GitLab CI/CD. This integration facilitates continuous security scanning of your projects, helping in the early detection of security vulnerabilities.
Last updated
Was this helpful?