Table of contents

[[TOC]]

Pipeline stage for scanners

The security scans should be run before build and deploy stages of the pipeline to make sure that any code that fails the scans does not get deployed or is not included in any built artefacts such as container images.

The default stage for security scanning jobs in gitlab is the test stage.

You can override this manually if needed.

If you do not have the test stage of pipeline and include default security tests the pipeline will report syntax error.

Secret detection

https://docs.gitlab.com/ee/user/application_security/secret_detection/

include:
  - template: Jobs/Secret-Detection.gitlab-ci.yml

Dependency Scanning

https://docs.gitlab.com/ee/user/application_security/dependency_scanning/

include:
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml

Container Scanning

https://docs.gitlab.com/ee/user/application_security/container_scanning/

include:
  - template: Jobs/Container-Scanning.gitlab-ci.yml

Infrastructure as Code scanning

https://docs.gitlab.com/ee/user/application_security/iac_scanning/

include:
  - template: Jobs/SAST-IaC.gitlab-ci.yml