- Author: Pedric Kng
- Updated: 26 Oct 2018
The purpose of this project is to share GitLab CI Shell Runner integration with Checkmarx CxSAST to perform SAST scan during the test stage.
- Setup GitLab Shell Runner
- Install the Checkmarx CLI tool, note that this example has been tested with v8.9.0 version of the tool.
- Download the following files to your machine installed with the runners and edit accordingly.
msxml.exe -- xml parser
CxCheckThresholds.bat -- Script to check for severity thresholds in the result
CxResult.xslt -- xslt to parse the XML scan result
Cx_GitLab_Windows_demo.bat -- Script to execute scans and parse the XML scan result.
Arguments | Description |
---|---|
-p | Checkmarx scan preset |
-h | high severity threshold |
-m | medium severity threshold |
-
Edit the Cx_GitLab_Windows_demo.bat accordingly i.e., Checkmarx CxSAST authentication credentials, parameters, CLI path.
-
Create a file named .gitlab-ci.yml in the root directory of your repository, edit as required.
# .gitlab-ci.yml
# Take note that yml file only accepts space character, tab is not supported
variables:
GIT_SUBMODULE_STRATEGY: recursive
before_script:
stages:
- test
cxsast:
stage: test
script:
- call C:\GitLab-Runner\GitLab\Cx_GitLab_Windows_demo.bat -h 20 -m 500
only:
- master
tags:
- windows
- Push to your GitLab repository
- Execute your GitLab pipeline, should the threshold exceed. The job should fail.
- Character '!' is removed when script executing in GitLab Shell Runner, there is currently no workaround.
- SSL certificate verification not working in version 10.6, a simple workaround is to add an environmental variable: "GIT_SSL_NO_VERIFY=true" to your runner's configuration.
# config.toml
concurrent = 1
check_interval = 0
[session_server]
session_timeout = 1800
[[runners]]
name = "win-gitlab-runner"
url = "https://gitlab.com/"
token = "****"
executor = "shell"
builds_dir = "C:\\GitLab-Runner\\build"
cache_dir = "C:\\GitLab-Runner\\cache"
environment = ["GIT_SSL_NO_VERIFY=1"]
[runners.cache]
[runners.cache.s3]
[runners.cache.gcs]
- Path separator '' is differently interpreted as executed in GitLab Runner, there might be a need to use double path separator '\\' in some case.
- For shell runner in Windows environment, the script runs in the windows temporary directory.
Getting started with GitLab CI/CD [1]
GitLab CI/CD Variables [2]
GitLab Runner Advanced Configuration [3]
Introduction to GitLab CI pipelines and jobs [4]