Page MenuHomePhabricator
Create Task
Maniphest T289290

Design and Build Application Security Pipeline Components for Gitlab
Closed, ResolvedPublic
Actions

Description

The Wikimedia Security-Team would like to design and build certain components for a modern application security pipeline within the Wikimedia instance of Gitlab (https://gitlab.wikimedia.org/). There is a small (though important) amount of security-related tooling which runs within the context of Gerrit (LibUp, phan-taint-check-plugin). We would like to expand upon these tools by crafting a singular repository where various security-related .gitlab-ci.yml templates would live and be included by relevant repositories via Gitlab's modular CI design. These CI included templates would make use of many of Wikimedia's existing Docker images and provide security-related tools (npm audit, etc.) to be run during various Gitlab CI/CD pipelines and potentially via additional automated and manual triggers.

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedsbassettT289290 Design and Build Application Security Pipeline Components for Gitlab
 ResolvedbrennenT289292 Create Security Team group within gitlab.wikimedia.org
 ResolvedsbassettT289293 Create initial proof of concept application security pipeline repository
 InvalidthciprianiT294306 Migrate existing proof-of-concept node ci templates to slim node wm node docker images
 InvalidNoneT294307 Research and design basic ci processing scripts (to exit 1 for tools that report errors and generate report artifacts)
 ResolvedsbassettT294309 Finish node/npm initial tool ci templates for npm audit (Node 10, 12, 14)
 ResolvedsbassettT294310 Finish for node/npm initial tool ci templates for npm outdated (Node 10, 12, 14)
 ResolvedsbassettT294311 Finish node/npm initial tool ci templates for auditjs (Node 10, 12, 14)
 ResolvedmmartoranaT294312 Investigate SAST template options now included with Gitlab CE and formulate use-cases and documentation
 ResolvedsbassettT294596 Add minimal yaml file linting as part of ci for security ci templates repository
 ResolvedsbassettT295333 Create a simple tool to check for bidirectional unicode characters
 ResolvedmmartoranaT295374 Create best practices / guidelines documentation for Gitlab application security ci templates
 ResolvedthciprianiT296805 Confirm with releng which docker images make the most sense to use
 ResolvedsbassettT296806 Find optimal solution for projects with nested package.json files (within the context of Gitlab CI)
 ResolvedsbassettT297991 Create semgrep initial tool ci template
 ResolvedsbassettT301828 Create local-php-security-checker/php-security-checker ci yaml template
 ResolvedmmartoranaT301829 Create composer outdated ci yaml template
 ResolvedsbassettT301830 Create safety (w/ poetry support) ci yaml template
 ResolvedmmartoranaT301831 Create nancy ci yaml template
 ResolvedsbassettT301832 Create phan/phan-taint-check plugin port as ci template
 ResolvedsbassettT301833 Create python bandit ci template
 ResolvedmmartoranaT301834 Create gosec ci yaml template
 ResolvedsbassettT303482 Merge templates that are part of initial release to production branch
 DeclinedNoneT295508 Research best ways to pass certain credentials to external services within application security-related ci templates
 DeclinedsbassettT304737 Evaluate and confirm potential licensing issues for gitlab appsec pipeline tools
Restricted Task
 DeclinedsbassettT305732 Support conda environments with a new gitlab appsec ci template
 ResolvedmmartoranaT307514 Create osv.dev ci includes
 ResolvedsbassettT307517 Write a phame / tech blog post detailing the appsec pipeline, as it currently exists
 ResolvedsbassettT307962 Re-implement semgrep ci includes
 ResolvedsbassettT354723 Gitlab unexpectedly creates multiple pipelines when certain includes/templates are defined within a repo's gitlab-ci.yml

Event Timeline

sbassett created this task.Aug 19 2021, 7:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 19 2021, 7:11 PM
sbassett triaged this task as Medium priority.Aug 19 2021, 7:11 PM
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett updated the task description. (Show Details)
sbassett claimed this task.Aug 19 2021, 7:52 PM
brennen closed subtask T289292: Create Security Team group within gitlab.wikimedia.org as Resolved.Aug 23 2021, 8:37 PM
brennen moved this task from Inbox to CI & Job Runners on the GitLab board.Sep 28 2021, 6:59 PM
brennen edited projects, added GitLab (CI & Job Runners); removed GitLab.
sbassett mentioned this in T287211: Figure out the future of (or replacements for) PipelineLib in a GitLab world.Oct 26 2021, 7:52 PM
sbassett mentioned this in T292094: Limit GitLab shared runners to trusted contributors.Nov 4 2021, 6:13 PM
sbassett added a subtask: Restricted Task.Feb 5 2022, 12:00 AM
sbassett removed a subtask: T303482: Merge templates that are part of initial release to production branch.Mar 25 2022, 8:19 PM
sbassett added a subtask: T295508: Research best ways to pass certain credentials to external services within application security-related ci templates.
sbassett added a subtask: T293138: Create Risk Rating Calculator for Security Reviews / Gitlab AppSec CI.Mar 25 2022, 8:23 PM
sbassett added a subtask: Restricted Task.Mar 30 2022, 7:44 PM
sbassett removed a subtask: Restricted Task.Mar 31 2022, 7:04 PM
sbassett added a subtask: Restricted Task.
sbassett changed the status of subtask T305732: Support conda environments with a new gitlab appsec ci template from Open to In Progress.Apr 8 2022, 5:37 PM
sbassett closed subtask T305732: Support conda environments with a new gitlab appsec ci template as Declined.May 3 2022, 8:05 PM
sbassett changed the status of subtask T304737: Evaluate and confirm potential licensing issues for gitlab appsec pipeline tools from Open to In Progress.
sbassett changed the status of subtask T307514: Create osv.dev ci includes from Open to In Progress.May 3 2022, 9:20 PM
sbassett changed the status of subtask T307517: Write a phame / tech blog post detailing the appsec pipeline, as it currently exists from Open to In Progress.May 9 2022, 4:18 PM
sbassett changed the status of subtask T307962: Re-implement semgrep ci includes from Open to In Progress.May 9 2022, 8:15 PM
mmartorana closed subtask T307514: Create osv.dev ci includes as Resolved.Jun 30 2022, 4:26 PM
sbassett closed subtask T307962: Re-implement semgrep ci includes as Resolved.Jul 11 2022, 8:35 PM
sbassett mentioned this in Blog Post: Application Security Pipeline in Gitlab: A Journey!.Jul 20 2022, 4:55 PM
sbassett closed subtask T307517: Write a phame / tech blog post detailing the appsec pipeline, as it currently exists as Resolved.Sep 19 2022, 6:52 PM
sbassett closed subtask T304737: Evaluate and confirm potential licensing issues for gitlab appsec pipeline tools as Declined.May 9 2023, 4:18 PM
sbassett added a project: GitLab-Application-Security-Pipeline.Jul 13 2023, 7:34 PM
sbassett closed subtask T295508: Research best ways to pass certain credentials to external services within application security-related ci templates as Declined.Jul 13 2023, 7:46 PM
sbassett closed subtask Restricted Task as Declined.
sbassett closed this task as Resolved.Jul 18 2023, 9:23 PM
sbassett mentioned this in T342177: [EPIC] Application Security Pipeline Components for Gitlab - Phase 2 Work.
sbassett removed a subtask: T293138: Create Risk Rating Calculator for Security Reviews / Gitlab AppSec CI.
sbassett removed a subtask: T305083: Better support branches and add support for mw core to the phan-taint-check gitlab appsec template.
sbassett removed a subtask: Restricted Task.
sbassett removed a subtask: T307523: Investigate container scanning options within the context of the Gitlab appsec pipeline.
sbassett removed a subtask: T309997: Implement an outdated modules check for golang .
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
sbassett closed subtask T354723: Gitlab unexpectedly creates multiple pipelines when certain includes/templates are defined within a repo's gitlab-ci.yml as Resolved.Jan 22 2024, 9:05 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL