Gitlab CI

nctl integrates and works with the GitLab CI and allows scanning against security team-defined policies which ensures addressing of misconfigurations in the pipeline alongside other tests and vulnerability scanning. The nctl-scan job will trigger the scan. In case of a failure, the entire job can be configured to fail, meaning that the test pipeline will fail, and the users will get quick feedback for their changes. Upon successful completion of the job, the scan results will be published to the NCH for viewing. NCH provides insights to platform administrators on overall compliance of different code repositories in their organization. Learn more about GitLab CI pipelines and their configuration from this official documentation.

Understanding the GitLab CI Workflow

To see pipeline scanning with GitLab CI in action:

Install nctl in the GitLab pipeline

Add the install nctl job to the gitlab-ci.yml file in the repository. The job installs the nctl CLI and is stored as an artifact for future jobs. The following code does that:

install-nctl: 
  stage: install
  script:
    - echo "Downloading and Installing NCTL 4.2.0"
    - curl -O -L -s https://nirmata-downloads.s3.us-east-2.amazonaws.com/nctl/nctl_4.0.2/nctl_4.2.0_linux_386.zip
    - unzip *.zip
    - echo "Verify Installation"
    - chmod 755 ./nctl
    - ./nctl version
  artifacts:
    paths:
    - ./nctl

Scan Repository files for misconfiguration

The nctl-scan-repo job scans the configuration files available in the repository for any misconfigurations. The –policies argument points to the directory containing security policies.

Note: The policies can also be stored in a different GitLab repository. Refer to the sample list of policies here.

After the execution of this job, the pipeline will fail if there are misconfigurations which will force the developer to debug and fix the issue at the source.

nctl-scan-repo:   # This job scans config files for misconfigurations.
  stage: scan    # It only starts when the job in the install stage completes successfully.
  dependencies:
    - install-nctl
  script:
    - echo "Running nctl scan"
    - pwd
    - git checkout main # Checkout the branch of choice or use pipeline variables to specify the branch.
    - ./nctl scan repository --policies ./policy.yaml

Note: Setting the branch variable through git checkout main is specific only for GitLab.

This pipeline runs in two stages: install-nctl and scan. Both can be visualized in the GitLab UI. The below image represents the same.

image