Merge branch 'feat/18-Q4.1'

Gitleaks check

See merge request Klagarge/mse2425-grp09!15
This commit is contained in:
2025-04-15 20:20:45 +00:00
3 changed files with 37 additions and 7 deletions

View File

@@ -6,11 +6,9 @@ default:
image: $DOCKER_IMAGE_TEST
stages:
- build-docker-test
- build-docker-app
- build-docker
- lint
- test
- dast
.setup_env: &setup_env
before_script:
@@ -59,7 +57,7 @@ pages:
# This job runs only when Dockerfile changes
docker-build-test:
image: docker:latest
stage: build-docker-test
stage: build-docker
services:
- docker:dind
script:
@@ -76,7 +74,7 @@ docker-build-test:
docker-build-app:
image: docker:latest
stage: build-docker-app
stage: build-docker
services:
- docker:dind
script:
@@ -88,7 +86,7 @@ include:
- template: Jobs/SAST.gitlab-ci.yml
dast:
stage: dast
stage: test
image: ghcr.io/zaproxy/zaproxy:stable
services:
- name: $DOCKER_IMAGE_APP
@@ -96,4 +94,12 @@ dast:
script:
- echo "Waiting for the app to start on http://app:5000"
- timeout 60 bash -c 'until curl -s http://app:5000; do echo "Waiting..."; sleep 3; done'
- zap-full-scan.py -t http://app:5000 -I
- zap-full-scan.py -t http://app:5000 -I
gitleaks:
stage: test
image:
name: zricethezav/gitleaks:latest
entrypoint: [""]
script:
- gitleaks dir -v --redact=75 .

View File

@@ -12,6 +12,11 @@ repos:
- id: pip-audit
args: ["./src"]
- repo: https://github.com/gitleaks/gitleaks
rev: v8.24.2
hooks:
- id: gitleaks
ci:
# Leave pip-audit to only run locally and not in CI
# pre-commit.ci does not allow network calls

View File

@@ -5,3 +5,22 @@
- **Q4.1**: Often secrets are committed in a repository. Different research tools exist and help to detect this kind of dangerous forgotten credentials. Integrate a check in your pipeline for these kinds of problems. Have a look at <https://github.com/zricethezav/gitleaks>. What kind of leaked secrets can you find in the git repo? Did the tool not find something that it should have found? Why? What possibilities exist to prevent this kind of leakage?
- **Q4.2**: Try to find any possible problems in our used libraries (e.g. flask). The `pyproject.toml` describes all the additional libraries used by the application. You can use a dependency scanning (have a look here: <https://docs.gitlab.com/ee/user/application_security/dependency_scanning/>) to see if all imported libraries are safe. Do you find any problems? Integrate the scanning in your pipeline.
- **Q4.3 (optional)**: API Fuzzing (and other kinds of DAST) is described at this page: <https://docs.gitlab.com/ee/user/application_security/api_fuzzing/>. Choose one of the different description possibilities for your *calculator* API. Integrate it in your pipeline.
# Answers - Part 4
## Q4.1
GitLeaks can find strings like API keys, passwords, and other sensitive information that might be accidentally committed to a repository. This tool can only recognize them if they look like sensitive information.
The scan of the git repository didn't detect the previous flask key because it was not in the format that GitLeaks recognizes.
Usually, the best practice is to use environment variables to store sensitive information. This way, the information is not exposed in the code.
## Q4.2
The Dependency scanning tool from GitLab linked by the teacher in the exercise cannot be used as it is limited to Gitlab Ultimate. I am looking into using an open-source solution
After using three different scanning tools, no known vulnerabilities were found.
Tools used :
- pyscan
- safety
- pip-audit