1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
|
---
stage: Security Risk Management
group: Security Policies
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
---
# Tutorial: Set up a scan execution policy
DETAILS:
**Tier:** Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
This tutorial shows you how to create and apply a
[scan execution policy](../../user/application_security/policies/scan_execution_policies.md).
These policies enforce application security tools as part of the CI/CD pipeline. In this tutorial,
you create a policy to enforce secret detection in the CI/CD pipeline of two projects.
In this tutorial, you:
- [Create project A](#create-project-a).
- [Create the scan execution policy](#create-the-scan-execution-policy).
- [Test the scan execution policy with project A](#test-the-scan-execution-policy-with-project-a).
- [Create project B](#create-project-b).
- [Link project B to the security policy project](#link-project-b-to-the-security-policy-project).
- [Test the scan execution policy with project B](#test-the-scan-execution-policy-with-project-b).
## Before you begin
- You need permission to create new projects in an existing group.
## Create project A
In a standard workflow, you might already have an existing project. In this
tutorial, you're starting with nothing, so the first step is to create a project.
To create project A:
1. On the left sidebar, select **Search or go to** and find your group.
1. Select **New project**.
1. Select **Create blank project**.
1. Complete the fields. For **Project name**, enter `go-example-a`.
1. Select **Create project**.
1. Select **Add (`+`) > New file**.
1. Enter `helloworld.go` in the filename.
1. Copy and paste the following example Go code into the file.
```go
package main
import "fmt"
func main() {
fmt.Println("Hello world")
}
```
1. Select **Commit changes**.
The next step is to create a scan execution policy. When the first security policy is created, a
policy project is created. The policy project stores the security policies created in any projects
that are linked to it. Keeping policies separate from the projects they protect makes your security
configuration reusable and easier to maintain.
## Create the scan execution policy
To create the scan execution policy:
1. On the left sidebar, select **Search or go to** and search for the `go-example-a` project.
1. Go to **Secure > Policies**.
1. Select **New policy**.
1. In the **Scan execution policy** section, select **Select policy**.
1. Complete the fields.
- **Name**: Enforce secret detection.
- **Policy status**: Enabled.
- **Actions**: Run a Secret Detection scan.
- **Conditions**: Triggers every time a pipeline runs for all branches.
1. Select **Configure with a merge request**.
The policy project `go-example-a - Security project` is created, and a merge request is created.
1. Optional. Review the generated policy YAML in the merge request's **Changes** tab.
1. Go to the **Overview** tab and select **Merge**.
1. On the left sidebar, select **Search or go to** and search for the `go-example-a` project.
1. Go to **Secure > Policies**.
You now have a scan execution policy that runs a secret detection scan on every MR, for any branch.
Test the policy by creating a merge request in project A.
## Test the scan execution policy with project A
To test the scan execution policy:
1. On the left sidebar, select **Search or go to** and find the project named `go-example-a`.
1. Go to **Code > Repository**.
1. Select the `helloworld.go` file.
1. Select **Edit > Edit single file**.
1. Add the following line immediately after the `fmt.Println("hello world")` line:
```plaintext
var GitLabFeedToken = "feed_token=eFLISqaBym4EjAefkl58"
```
1. In the **Target Branch** field, enter `feature-a`.
1. Select **Commit changes**.
1. When the merge request page opens, select **Create merge request**.
Let's check if the scan execution policy worked. Remember that we specified that secret detection
is to run every time a pipeline runs, for any branch.
1. In the merge request just created, go the **Pipelines** tab and select the created pipeline.
Here you can see that a secret detection job ran. Let's check if it detected the test secret.
1. Select the secret detection job.
Near the bottom of the job's log, the following output confirms that the example secret was detected.
```plaintext
[INFO] [secrets] [2023-09-04T03:46:36Z] ▶ 3:46AM INF 1 commits scanned.
[INFO] [secrets] [2023-09-04T03:46:36Z] ▶ 3:46AM INF scan completed in 60ms
[INFO] [secrets] [2023-09-04T03:46:36Z] ▶ 3:46AM WRN leaks found: 1
```
You've seen the policy work for one project. Create another project and apply the same policy.
## Create project B
To create project B:
1. On the left sidebar, select **Search or go to** and find your group.
1. Select **New project**.
1. Select **Create blank project**.
1. Complete the fields. For **Project name**, enter `go-example-b`.
1. Select **Create project**.
1. Select **Add (`+`) > New file**.
1. Enter `helloworld.go` in the filename.
1. Copy and paste the following example Go code into the file.
```go
package main
import "fmt"
func main() {
fmt.Println("Hello world")
}
```
1. Select **Commit changes**.
Now that you have another project, you link it to the same policy project.
## Link project B to the security policy project
To link project B to the security policy project:
1. On the left sidebar, select **Search or go to** and find the `go-example-b` project.
1. Go to **Secure > Policies**.
1. Select **Edit policy project**.
1. Select the dropdown list, then search for the security policy project created at the start of
this tutorial.
1. Select **Save**.
Linking project B to the same policy project resulted in the same policy being applied. A scan
execution policy runs a secret detection scan on every MR, for any branch. Let's test the
policy by creating an MR in project B.
## Test the scan execution policy with project B
To test the scan execution policy:
1. On the left sidebar, select **Search or go to** and find the `go-example-b` project.
1. Go to **Code > Repository**.
1. Select the `helloworld.go` file.
1. Select **Edit > Edit single file**.
1. Add the following line immediately after the `fmt.Println("hello world")` line:
```plaintext
var AdobeClient = "4ab4b080d9ce4072a6be2629c399d653"
```
1. In the **Target Branch** field, enter `feature-b`.
1. Select **Commit changes**.
1. When the merge request page opens, select **Create merge request**.
Let's check if the scan execution policy worked. Remember that we specified that secret detection
is to run every time a pipeline runs, for any branch.
1. In the merge request just created, go the **Pipelines** tab and select the created pipeline.
1. In the merge request just created, select the pipeline's ID.
Here you can see that a secret detection job ran. Let's check if it detected the test secret.
1. Select the secret detection job.
Near the bottom of the job's log, the following output confirms that the example secret was detected.
```plaintext
[INFO] [secrets] [2023-09-04T04:22:28Z] ▶ 4:22AM INF 1 commits scanned.
[INFO] [secrets] [2023-09-04T04:22:28Z] ▶ 4:22AM INF scan completed in 58.2ms
[INFO] [secrets] [2023-09-04T04:22:28Z] ▶ 4:22AM WRN leaks found: 1
```
Congratulations. You've learned how to create a scan execution policy and enforce it on projects.
|
