Here's a blog post to guide others on setting up a security scan CI pipeline (using Trivy) in GitLab. I am keeping it simple as much as I can.

Setting Up a GitLab CI Pipeline for Security Scanning

Continuous Integration (CI) pipelines play a critical role in automating and securing code development workflows. With GitLab CI, you can automate security scans to detect vulnerabilities and misconfigurations in your code. In this guide, we’ll set up a CI pipeline in GitLab using Trivy, a popular open-source security scanner (https://github.com/aquasecurity/trivy), to perform file system scans for configuration issues and vulnerabilities.

Prerequisites

1. GitLab Repository: You’ll need a GitLab project to set up your CI/CD pipeline.
2. GitLab Runner: Make sure you have a GitLab Runner available to execute the pipeline jobs.

Step 1: Create the .gitlab-ci.yml File

In the root of your GitLab project, create a .gitlab-ci.yml file. This file defines the stages, jobs, and configuration for your CI/CD pipeline.

Here's the .gitlab-ci.yml configuration for our Trivy security scan job:

security-misc-scan:
  stage: security_scan
  variables:
    TRIVY_NO_PROGRESS: "true" # Disables the progress bar for a cleaner log output
    TRIVY_CACHE_DIR: ".trivycache/" # Sets the directory for caching scan data
  before_script:
    - apt-get update; apt-get install curl -y; # Install curl to retrieve the latest Trivy version
    - export TRIVY_VERSION=$(curl -s "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') # Fetch the latest Trivy version
    - echo $TRIVY_VERSION
    - curl -L https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz | tar -zxvf - # Download and extract Trivy
  script:
    - touch misc-scan-report.json # Create a file to store the scan results
    - ./trivy filesystem --scanners config,vuln --exit-code 0 --format template --template "@contrib/gitlab-codequality.tpl" -o misc-scan-report.json . # Run Trivy with config and vulnerability scanners
    - cat misc-scan-report.json # Display the report in the job log
  cache:
    paths:
      - .trivycache/ # Cache directory to save data between pipeline runs
  artifacts:
    paths:
      - misc-scan-report.json # Save the scan report as an artifact
    reports:
      codequality: misc-scan-report.json # Report for GitLab Code Quality
  when: always # Always run this job
  rules:
  - if: $CI_PIPELINE_SOURCE == "parent_pipeline" # Run the job only if the pipeline source is parent_pipeline
  allow_failure: true # Allow this job to fail without impacting the pipeline status
  tags:
  - dind # Runner tag for Docker-in-Docker
  needs: []

Explanation of the Job Configuration

1. Stage: security_scan defines the stage in the pipeline where this job will run.
2. Variables: Trivy environment variables are defined for better output and caching.
3. Before Script: This section downloads and installs Trivy. It fetches the latest release version from GitHub, ensuring the scan uses the most recent updates.
4. Script: Runs the Trivy scan on the repository files and generates a JSON report file misc-scan-report.json.
5. Cache: Caches the .trivycache/ directory to speed up scans by reusing downloaded data between jobs.
6. Artifacts: Stores the JSON report for later review. GitLab can use this report for Code Quality integration.
7. Rules: Ensures the job runs only if triggered by a parent pipeline.
8. Tags: Specifies the runner requirements, in this case, a dind (Docker-in-Docker) compatible runner. You need to change it to the tag of your Gitlab runners.

Step 2: Commit and Push Your .gitlab-ci.yml File

After creating the file, commit and push it to your GitLab repository:

git add .gitlab-ci.yml
git commit -m "Add Trivy security scan job to CI pipeline"
git push origin main

Step 3: Monitor the Pipeline

Once pushed, GitLab will automatically trigger the pipeline. You can check the job logs to see Trivy’s progress and review the misc-scan-report.json output for any discovered vulnerabilities or misconfigurations.

You can check the full report at Code Quality tab in Gitlab Pipelines page:

Conclusion

By following these steps, you’ve set up a GitLab CI pipeline that automates security scanning with Trivy, enhancing your project’s security without manual intervention. This approach keeps your codebase secure and compliant, helping you catch potential issues early in the development process.

Let me know if you’d like further customization options for different scan configurations!