Skip to content

Setting up web application scanning with GitLab

This article describes the setup in the GitLab CI system. Configuration in other systems is performed in a similar way.

Adding environment variables

In GitLab, select “Settings” → “CI/CD” → “Variables” → “Add variable”.

Two variables need to be added:

The address of the scanner

  • In the “Key” field, enter GUJIAN_BASE_URL.
  • In the “Value” field, enter the scanner URL, for example: https://cloud.gujian.cloud.
  • Click the “Add Variable” button.

Secret access token

  • Go to the dashboard.
  • Open the drop-down menu next to the profile icon.
  • Select “Access Tokens”.
  • Click “Create token”.
  • Enter GitLab CI in the “Name” field and choose the expiration date if necessary.
  • Copy the value of the resulting token.
  • Go back to GitLab.
  • In the “Key” field of the new variable, enter GUJIAN_TOKEN.
  • In the “Value” field, paste the value of the resulting token.
  • Click the “Mask variable” checkbox.
  • Click the “Add Variable” button.

Setting up a CI/CD configuration

In GitLab CI click the “CI/CD configuration” button.

In the editor that opens, click the “Configure Pipeline” button.

Creating a job for scanning

You need to use a Docker image called gujian/cli. This image must be pre-installed in GitLab Runner. Copy and paste the following code into the editor to run the job:

gujian:
  image:
    name: gujian/cli
    entrypoint: [""]
  tags: [docker]
  script:
    - gujian-cli scan-ci new --url http://xxe-shop.stands.fuchsia

In the script field, there are different ways to set the address for scanning. The example above shows a static address. To set a dynamic address, use:

- gujian-cli scan-ci new --url $URL

Here the script gets the address from the $URL variable.

An alternative way to set the address for scanning is to set a target in the dashboard. When creating a target it is assigned a unique TargetID. In this case, use:

- gujian-cli scan-ci new --targetID 123

The job is ready. To start it, you need to write a commit message and click the “Commit changes" button.

View a job in progress

There are two ways to view the job execution in real time with progress tracking and its final result:

GitLab interface

Dashboard

As a result of the scanning, if issues have been identified, the job returns a non-zero code.