SAST Integration with GitLab

Security Program 360’s (SP360) Static Application Security Testing (SAST) functionality enables continuous code inspection by scanning source code and identifying potential security vulnerabilities, bugs, and best practice violations. SP360’s SAST functionality integrates with your existing workflow and enables continuous code inspection to ensure code quality and security integrity prior to deployment to customer-accessible environments and works as an integral part of a continuous integration regime.

This document describes the process of integrating SP360’s SAST with GitLab repositories. sp360

To integrate SP360’s SAST. and scan the source code of an application and its components stored in the GitLab repository, you need to follow the steps below:

Step 1: Log into SP360 and click on the SAST option in the navigation menu on the left side. DSDS

Step 2: Click on the GitLab icon at the top right. DSDS

Note:

OClicking on the GitLab icon, results in the following possible scenarios:

    ● If you are not logged into GitLab the GitLab login page shown in Step 3 is displayed.
    ● If you successfully log into GitLab but have never authorized SP360, the page shown in Step 4 is displayed..


Step 3: Sign-in to your respective GitLab account. DSDS

Step 4: This GitLab page, requires you to authorize the SP360 Application. DSDS

Step 5: After clicking Authorize, a SP360 page is displayed. Select the repository from the drop-down and click Save.
sp360

Step 6: At this point, a pop-up message indicates that the connection has been successfully updated.
sp360

Step 7: Select the repository (or repositories) that you want to periodically scan. You can select All Repositories or Only select repositories. Once a selection is made, click Save.
sp360

Once the connection to the repository has been established, it will be scanned. This progression is reflected by a series of changes in the repository status starting from “Connecting”, “Connected”, “Scheduled”, “Scanning”, “Synced” to “Scanned”. Once completed. the date and time of the scan is displayed. Also, after the scan is completed, the vulnerabilities, bugs, and unsatisfied best practices found in source code can be explored. For more information on Status Flow Diagram, click here

Supported Actions Once Respository is Connected

DSDS

Each of the connected Repository has four available action buttons as indicated by the icon on the right side of each line. For more information, click here