[Techworld with Nana] DevSecOps Bootcamp [2024, ENG]: Vulnerability Management and Remediation


Делаю:
2026.01.15


01 - Generate Security Scanning Reports (4 - Vulnerability Management and Remediation)


.gitlab-ci.yml


stages:
  - test

yarn_test:
  stage: test
  image: node:22-bullseye
  before_script:
    - apt-get update && apt-get install -y wget curl
    - wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
    - apt-get install -y ./google-chrome-stable_current_amd64.deb
    - export CHROME_BIN=/usr/bin/google-chrome
  script:
    - yarn install
    - yarn test

gitleaks:
  stage: test
  image:
    name: zricethezav/gitleaks
    entrypoint: ['']
  script:
    - gitleaks detect --verbose --source . -f json -r gitleaks.json
  allow_failure: true
  artifacts:
    when: always
    paths:
      - gitleaks.json

njsscan:
  stage: test
  image: python:3.12
  before_script:
    - pip3 install --upgrade njsscan
  script:
    - njsscan --exit-warning . --sarif -o njsscan.sarif
  allow_failure: true
  artifacts:
    when: always
    paths:
      - njsscan.sarif

semgrep:
  stage: test
  image: semgrep/semgrep
  variables:
    SEMGREP_RULES: p/javascript
  script:
    - semgrep ci --json --output semgrep.json
  allow_failure: true
  artifacts:
    when: always
    paths:
      - semgrep.json



// Не открывается у меня
https://demo.defectdojo.org/



upload_reports:
  stage: test
  image: python:3.12
  needs: ['gitleaks', 'njsscan', 'semgrep']
  when: always
  before_script:
    - pip3 install requests
  script:
    - python3 upload-reports.py gitleaks.json
    - python3 upload-reports.py njsscan.sarif
    - python3 upload-reports.py semgrep.json


upload-reports.py

import requests
import sys

file_name = sys.argv[1]
scan_type = ''

if file_name == 'gitleaks.json':
    scan_type = 'Gitleaks Scan'
elif file_name == 'njsscan.sarif':
    scan_type = 'SARIF'
elif file_name == 'semgrep.json':
    scan_type = 'Semgrep JSON Report'


headers = {
    'Authorization': 'Token e71f520d6cb842d4465dab1b1d9b97e04d7a231f'
}

url = 'https://demo.defectdojo.org/api/v2/import-scan/'

data = {
    'active': True,
    'verified': True,
    'scan_type': scan_type,
    'minimum_severity': 'Low',
    'engagement': 19
}

files = {
    'file': open(file_name, 'rb')
}

response = requests.post(url, headers=headers, data=data, files=files)

if response.status_code == 201:
    print('Scan results imported successfully')
else:
    print(f'Failed to import scan results: {response.content}')