Klagarge/MSE-CyberSec-DevSecOps
1
0
Fork 0
Code Issues Pull Requests Releases Activity
Files
befd66898db37f8c29959e1ccd93ef3aa4011064
MSE-CyberSec-DevSecOps/docs/questions-part3.md
alec.schmidt befd66898d feat: Answered question
2025-04-09 19:12:53 +02:00

1.4 KiB
Raw Blame History

Questions

Part 3

  • Q3.1: Setup your CI/CD pipeline with an additional SAST solution. I propose that you use semgrep for this task. Get your inspiration here: https://semgrep.dev/for/gitlab and https://docs.gitlab.com/ee/user/application_security/sast/
  • Q3.2: Describe the found problems (alerts) in the calculator app (in the original code, git tag v3.0)
  • Q3.3: Install DAST OWASP ZAP on your host or in a Docker. Play with OWASP ZAP, analyze the calculator code
  • Q3.4: Implement a DAST solution in your pipeline. Get some inspiration here https://docs.gitlab.com/ee/user/application_security/dast/ . Describe what you have integrated in your pipeline. Note: you must ensure that your application is running while you are testing!
  • Q3.5 (optional): Normally, the provided code has some bugs, which are discovered by SAST solution. Describe the found bugs (in the original code, git tag v3.0) and provide solution to remediate the problems. Indicate which commit/tag contains the corrected code
  • Q3.6 (optional): Describe the found bugs (in the original code, git tag v3.0) with DAST and provide solution to remediate the problems. Indicate which commit/tag contains the corrected code. Do corrections only in the provided code (no libraries)

Answers - Part 3

Q3.2

For some reasons, semgrep works locally, but not on GitLab. Here is the report when runned locally.

SAST-report