HOW TO ACHIEVE

DEVSECOPS WITH
GITLAB CI/CD
Shift left with built-in security
tools and best practices
 !

Table of Contents
03 INTRODUCTION 20 WHY GITLAB

04 WHAT IS DEVSECOPS? 21 THE BENEFITS OF GITLAB ULTIMATE FOR DEVSECOPS

04 CI/CD: THE KEY TO DEVSECOPS 22 ABOUT THE AUTHOR

05 DEVSECOPS IN ACTION: TANUKI PETS 22 ABOUT GITLAB

The Tanuki Pets team
»! Improving the process

10 GETTING STARTED WITH GITLAB CI/CD

Configuring continuous integration
»! Deploy test environment
»! Create a Kubernetes cluster
»! Seeing the test results
»! GitLab Runners
 "

Introduction

DevOps practices have enabled software developers (devs) and operations (ops) teams to
accelerate delivery through automation, collaboration, smarter feedback loops, and iteration.
DevOps goes beyond the Agile and lean practices it came from to make faster software
delivery possible. DevOps represents a cultural shift that focuses on not only speed, but
efficiency as well.

While DevOps has removed many of the barriers to faster delivery, one area of development
has sometimes felt like an outsider looking in: security.

Traditional application security is usually a final step of the development lifecycle. Dedicated
security professionals run tests to identify vulnerabilities, prioritize them by risk, and
then triage for remediation. Looking at security as an afterthought in the development
process doesn’t breed optimal results and causes bigger problems in the long run. With
security acting as a gatekeeper for deployment, it can feel like a roadblock to innovation by
developers and engineers, rather than an equal partner.

With security and compliance being so important, especially with "#$!%$&'()"*!"#($+"% out
there today, teams are realizing that it’s not enough to just practice DevOps with security
thrown in at the end. Balancing business velocity with security is possible. For teams wanting
to innovate, going beyond traditional DevOps will not only be important, it will be essential.

Start your GitLab free trial

 #

What is DevSecOps? CI/CD: The key to

DevSecOps
DevSecOps brings security into the development lifecycle
by integrating security processes and actions into the same
pipelines developers and operations are already using. This shifts DevSecOps integrates security controls and best practices into
security earlier into the development workflow in a process the DevOps workflow through CI/CD pipelines. As more teams
known as %#),)-.!/$, – but it’s not just about making developers try to shift left, automated security testing streamlines adoption
responsible for security. In DevSecOps, teams rely on tools and and scalability. In GitLab’s 6767!8$19$&:3%!9'(1$*, a respondent
processes that treat security with the same scale and rapid summarized the importance of testing and continuous
feedback loops enjoyed by modern software development. integration:

In the past, security tools were highly specialized and not “Automated testing and continuous integration have made
necessarily 0$1$/23$(45()$-0/*. Developers wanted command- our deployments safer and more optimized. Now everyone
line tools that could be automated, customized for various in the team has the permission to deploy the code.”
configurations, and imported into bug trackers. But traditional
To achieve DevSecOps, a robust CI/CD strategy with built-in
security scanners were made for security teams and CISOs,
security features will be a main component. GitLab’s open DevOps
whose goals are governance, security policy compliance, and risk
platform with built-in CI/CD brings these requirements into the
management – not necessarily development velocity.
development lifecycle naturally. Teams that adopt a .220!;<=
;8!%"(+"$.* are not only able to develop better, faster software,
Over time, security vendors and developer platforms have
they also improve business outcomes, identify bugs, and catch
adapted their products to address the needs of both: Analytics
vulnerabilities before they ever reach users.
and reports needed by CISOs with integrated workflows needed
by developers. CI/CD pipelines can incorporate security testing
either natively or as an integration from a third-party vendor. This
has allowed security to shift left while also being robust enough to
identify vulnerabilities. Teams are more poised than ever to adopt
a real DevSecOps culture.

Start your GitLab free trial

 $

DevSecOps in action:
Tanuki Pets

The benefits of DevSecOps really shine when a diverse team

needs to collaborate on an urgent project. Sound familiar?
In this example, we created a company that needs to
innovate quickly to avoid losing customers to a competitor.

Tanuki Pets is a fictional company that has an online

website and mobile app that sells pet supplies, pet food,
and other pet products. Tanuki Pets is a Java application
hosted in an on-premise data center.

Start your GitLab free trial

 %

The Tanuki Pets Team

Rachel is the configuration manager. Delaney is the development lead. Sasha is a new developer.
They are responsible for the version They started developing the company They just joined Tanuki Pets as a developer
control tool and repository, manages website four years ago. Delaney still and report to Delaney. Sasha joined
manual and automatic deployment maintains the code and last year Tanuki Pets because they like pets, they
of environments, and develops best got promoted to a team lead. have a dog and two cats at home, and
practices and processes in the area they thought it would be fun to develop a
of coding and code management. website for pets. They love open source.

Parker is the product manager. Simone is the QA engineer. Presley is the product designer.
They work closely with Presley, the Their responsibility is to ensure that They are creative and come up with
product designer, to define new the team releases high quality products great ideas and solutions. Presley’s
functionality that will increase the that are usable and with a fun user job is to translate the product’s
company business. Parker tries to push experience. Most tests are manual. mission into an effective, empathetic,
for releasing features to production and efficient user experience.
fast – but this usually doesn’t happen.

Start your GitLab free trial

 &

PetBuy.com, a Tanuki Pets competitor, just released their own mobile

application with a cool feature that enables users to upload their pet We need to release a new module that
photos and rate other pet photos to win prizes and discounts. Pets enables customers to upload their pets
that receive more than 200 votes trigger a 70% off discount that their photos and react to others’ pet photos.
owners can use for a future online purchase. How long is this going to take to release?

In addition to using this feature to promote their new mobile app,

users are enjoying interacting with pets all over the world and
interacting with the brand.

Unfortunately, for our friends at Tanuki Pets, sales drop 30%

practically overnight. Mark Zhang, Tanuki Pets CEO, feels the team It will take me at least a week to design
must deliver new social features and special promotions as soon as this if I work as fast as I can...
possible to compete with PetBuy.com.

The goal: Deliver new features and innovations so that Tanuki

Pets can better compete against PetBuy.com.

The alternative: Without rapid action to improve and mitigate

the decline in sales due to the competition, Tanuki Pets is
unlikely to survive long-term.
I need at least two weeks to write the
code, but I’ll also need Rachel to provision
All the Tanuki Pets team members need to collaborate in order to a dev environment for me to use but
deliver features as quickly as possible. But everyone on the team that could take days to get approved...
has different incentives, priorities, and dependencies. Collaboration
is doable, but not easy, and the Tanuki Pets CEO asks that all team
members give this new project their highest priority.

Start your GitLab free trial

 '

IMPROVING THE PROCESS

After Sasha is finished, I need one day As is the case for most businesses, the pace of innovation needs to be
to build the code, another two days to greater than or equal to competitors to outpace them and, ultimately,
set up the dev environment, two days to succeed. It’s sometimes forgotten that engineering goals can have a
configure the test environment, and then direct impact on business outcomes: The faster that features can be
one day to deploy to production when
released and enjoyed by users, the sooner businesses can generate
ready. I’ll sleep when this is over I guess...
revenue from that code. The Tanuki Pets team realizes they must find
a way to work faster and deliver quality results, safely. 10 weeks from
start to finish is just too long to wait.

The reality is that there rarely is a perfect time to improve processes.

The team knows they need to adopt a DevSecOps methodology if
I need one week to test at minimum and
they have any hope of releasing their own pet photo feature.
I can’t start my work until Sasha has
finished. Definitely not before I have
the test environment ready either…
Sasha: “We need to adopt DevSecOps and see if it generates
the results we need. The data is there and shows it can
dramatically improve the velocity and quality of software
produced by our team.”

Sasha: “What about the manual tasks that eat a lot of time,
like deploying a test environment and testing the code? If we
We will need to test this extensively could just automate these things and have automatic security
for security and performance with scans, it could easily save us ten days or more.”
an external company, as well as
get CEO sign-off final approval.
The soonest we can deliver this to
Delaney: “Honestly, I can barely keep up with the processes
production is seven to eight weeks.
we have today.”
Maybe nine. Okay, okay...10 weeks.

Start your GitLab free trial

 (

When >+?)-.!"#$!&+%$!52(!;<=;8, or any new technology, IT leaders GitLab is an open DevOps platform, delivered as a single application,
need to be convinced that adopting new tools or processes will be including built-in CI/CD. As a single application, it has all components
worth it in the long run. Shifting to DevSecOps requires an investment the team needs in one place: single UI, single data storage, and single
in time and resources that can sometimes take years. vendor.

In this scenario, Sasha recommends GitLab as a unique solution for

the team’s needs.
Don’t worry! It actually makes collaboration easier
and streamlines processes instead of adding more
complexity to how we work today. Instead of
making Simone wait until I complete my code, I
can just push small changes to be built and tested
automatically each time I commit a change.

Start your GitLab free trial

 )*

Getting started with GitLab CI/CD

Since GitLab is available via SaaS or self-managed versions, rather than

install on their on-premise data center, the Tanuki Pets team opts to use
GitLab SaaS so they can start using it right away.

The team signs up for the GitLab free trial which gives them access to all
GitLab Ultimate features they’ll need for this project, including:
»! Agile project management

»! Source code management

»! Continuous integration and delivery

»! Application security testing

»! Infrastructure-as-code

»! Logging, monitoring, and tracking

Start your GitLab free trial

 ))

I just created a group for our team and added all of you. Then I
created a project in our group and pushed Tanuki-Pets source
code to it in less than two minutes. Now all of us can clone the
code from the GitLab repository and start developing locally.

GitLab makes implementing and configuring CI easier out-of-the box with Auto DevOps. Rather
than building a YAML file from scratch, or trying to configure existing scripts, Auto DevOps
provides 3($0$5)-$0!;<=;8!&2-5).'(+")2-% that automatically detect, build, test, deploy, and
monitor applications. Since it’s enabled by default, all the Tanuki Pets team needs to do is start
a pipeline job and Auto DevOps does the rest. Everytime there’s a code change, GitLab will
trigger a CI/CD pipeline to build and test the code.

In five minutes, we have a fully functioning DevSecOps

environment running our first pipeline. Even better news:
Our code and the build passed without any problems!

Start your GitLab free trial

 )!

Auto DevOps
settings

Start your GitLab free trial

 )"

Configuring continuous integration 3. For the Filename, type `.gitlab-ci.yml` and in the larger
window, paste this sample code:
While Auto DevOps makes it easy to get started right away, GitLab CI/
CD can be configured for any need. GitLab uses 3)3$/)-$!+%!&20$ and build-job:
a `.gitlab-ci.yml` file saved in the root of the repository. GitLab stage: build
will detect the syntax automatically and run the steps defined once script:
new code is pushed. - echo "Hello, $GITLAB_USER_LOGIN!"

test-job1:
Creating a new `.gitlab-ci.yml` file )%!+-!$+%*!3(2&$%%.
stage: test
script:
1. Go to Project overview > Details.
- echo "This job tests something"

test-job2:
2. Above the file list, select the branch you want to commit stage: test
to, click the plus icon, then select New file: script:
- echo "This job tests something, but takes
more time than test-job1."
- echo "After the echo commands complete,
it runs the sleep command for 20 seconds"
- echo "which simulates a test that runs 20
seconds longer than test-job1"
- sleep 20

deploy-prod:
stage: deploy
script:
- echo "This job deploys something from the
$CI_COMMIT_BRANCH branch."

Start your GitLab free trial

 )#

GitLab provides quick start %$&'()"*!%&+-!"$>3/+"$%, so embedding Security scanning tools

security into a CI/CD pipeline is a snap. Get started quickly with
GitLab uses the following tools to scan and report known
Dependency Scanning, License Scanning, Static Application Security
vulnerabilities found in your project.
Testing (SAST), and Secrets Detection by adding the following to your
`.gitlab-ci.yml`:
Secure scanning tool Description
include:
;2-"+)-$(!9&+--)-. Scan Docker containers for known
- template: Security/Dependency-Scanning.gitlab-ci.yml
vulnerabilities.
- template: Security/License-Scanning.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml 8$3$-0$-&*!@)%" View your project’s dependencies
- template: Security/Secret-Detection.gitlab-ci.yml and their known vulnerabilities.

This is by no means an exhaustive list. GitLab has even more scans 8$3$-0$-&*!9&+--)-. Analyze your dependencies for
known vulnerabilities.
available that can be added at any time, depending on your needs.
8*-+>)&!A33/)&+")2-! Analyze running web applications
9$&'()"*!B$%")-.!C8A9BD for known vulnerabilities.

AE<!5'FF)-. Find unknown bugs and

vulnerabilities in web APIs with
fuzzing.

9$&($"!8$"$&")2- Analyze Git history for leaked

secrets.

9$&'()"*!8+%#G2+(0 View vulnerabilities in all your

projects and groups.

9"+")&!A33/)&+")2-!9$&'()"*! Analyze source code for known

B$%")-.!C9A9BD vulnerabilities.

;21$(+.$!5'FF)-. Find unknown bugs and

vulnerabilities with coverage-
guided fuzzing.

Start your GitLab free trial

 )$

GitLab also provides support for $-04"24$-0!"$%")-.!H)"#!9$/$-)'>! extremely valuable for large applications so that you can know that
+-0!I$G0()1$(<:. While unit tests are used the majority of the time, the deployment went as intended, that your infrastructure is up and
end-to-end testing, also called broad-stack or full-stack testing, is running, and that all of your code works well together.

Whoa, GitLab also has built-in security

scans that we can add to our pipelines?
Wait, you mean I can start designing
You mean I don’t have to wait for a third-
this photo feature and won’t have
party company to send me their security
to worry about security delays?
reports three weeks after I finish my work?
The code will just be….ready?

Start your GitLab free trial

 )%

DEPLOY TEST ENVIRONMENT

To add a deploy job: add deploy stage, and paste this job
template.
I usually spend at least two days
configuring and deploying test deploy-test:
environments. With GitLab CI/ image: "registry.gitlab.com/gitlab-org/cluster-
CD, can I automate this process? integration/auto-deploy-image:v1.0.7"
stage: deploy
script:
- auto-deploy check_kube_domain
- auto-deploy download_chart
- auto-deploy ensure_namespace
- auto-deploy initialize_tiller
- auto-deploy create_secret
- auto-deploy deploy
- auto-deploy persist_environment_url
environment:
name: deploy/$CI_COMMIT_REF_NAME
url: http://$CI_PROJECT_ID-$CI_ENVIRONMENT_
The easiest way to make this happen will be to build a Docker image SLUG.$KUBE_INGRESS_BASE_DOMAIN
from the code and deploy it using Kubernetes. GitLab has a robust artifacts:
J'G$(-$"$%!)-"$.(+")2- and provides cloud-agnostic support for paths: [environment_url.txt, tiller.log]
cloud native development so that you can deploy anything you want, when: always
anywhere, anytime. rules:
- if: '$CI_KUBERNETES_ACTIVE == null || $CI_
KUBERNETES_ACTIVE == ""'
You can use a predefined template for building the docker image and when: never
a CI job template to orchestrate the deployment. - if: '$CI_COMMIT_BRANCH == "master"'
when: never
To create a Docker image and push it to GitLab container - if: '$REVIEW_DISABLED'
registry, include this template in your CI config file: when: never
Jobs/Build.gitlab-ci.yml - if: '$CI_COMMIT_TAG || $CI_COMMIT_BRANCH'

Start your GitLab free trial

 )&

CREATE A KUBERNETES CLUSTER

GitLab provides a wizard to create clusters and install on them all
necessary applications. To start the wizard, go to the overview page
of your project and click on ‘Add Kubernetes cluster,’ then follow the
instructions.

Once the cluster is created and connected to your project, you can
deploy your app to it.

For each commit we push to the server,

GitLab will create a Docker image,
publish to the container registry,
and deploy it in Kubernetes!

Start your GitLab free trial

 )'

SEEING THE TEST RESULTS

In GitLab, the test results are available from the >$(.$!C3'//D!($K'$%"!CLMD. MRs include
build and test results, other valuable insights such as code changes, commits and pipeline
This is awesome, but where do status, as well as a link to a live instance of the app to easily preview developer’s changes.
developers see reports and results? M$1)$H!A33% provide a live staging environment for each MR to preview changes – no more
waiting on approvals or for others to provision environments for you.

The merge request is also +!&2//+G2(+")2-!"22/ that allows team members to review each
others’ code and provide feedback on potential changes. Everyone has visibility into the
changes and a wide variety of "$%"!($%'/"%!+-0!($32("% are available in the merge requests.
You can define approval rules to prevent merging any changes if a security report contains
vulnerabilities or if a compliance report contains a denied license.

Code review and

collaboration

Review app

Test results

Start your GitLab free trial

 )(

GITLAB RUNNERS
For teams using GitLab’s SaaS version, GitLab offers Linux and
Windows %#+($0!('--$(% hosted on GitLab.com for executing your
pipelines. This is the version that Tanuki Pets is currently using. We’ve created the pipeline configuration, added
tests to it, but how do we actually run the pipeline?
But what if Tanuki Pets wants to move GitLab to their on-premise Do we need to maintain dedicated build machines?
data center and use their own infrastructure in the future? N)"@+G!
M'--$( is open source and written in Go. Once Runner software is
installed, it will download a Docker image with all the dev tools in it
and run the job inside the image, so minimal to no extra maintenance
of the runners is required. Each job will run on a clean image for
increased security and stability.

According to a N+("-$(!($32(", it’s important for security to be

included in the DevSecOps lifecycle in small, actionable steps so that
developers can react quickly. This allows the pace of security fixes
to match the pace of development. The best way to bring security
scanning into the 0$1$/23>$-"!3(2&$%% is by using a tool like GitLab
that allows developers to stay in the same platform or interface
they’re already using to commit, scan, and ship code to production.
This makes the security process automatic every time there is a code GitLab Runner can also be enabled for autoscaling so
update. that instances can spin up or down as needed. Learn
how the team at Substrakt Health was able to save
The team at Tanuki Pets needed a way to deliver new features to 90% on their EC2 costs by autoscaling runners.
the market faster to stay competitive. They couldn’t compromise on
quality, security, or compliance, so they chose to use GitLab. Every
member of the Tanuki Pets team could use GitLab’s single interface to Read their story
collaborate and innovate faster.

Start your GitLab free trial

 !*

Why GitLab
GitLab is an open DevOps platform that unifies development, operations, and security
teams into a single application. With GitLab, DevSecOps architecture is built into the CI/
CD process. Every merge request is scanned through its pipeline for security issues and
vulnerabilities in the code and its dependencies using automated tests.

GitLab helps teams accelerate software delivery from weeks to minutes while reducing
development costs and security risks.

BI Worldwide increases deployments to 10 times per day

“One tool for SCM+CI/CD was a big initial win. Now wrapping security scans into
that tool as well has already increased our visibility into security vulnerabilities.
The integrated Docker registry has also been very helpful for us. Issue/Product
management features let everyone operate in the same space regardless of role.”

– Adam Dehnel, Product Architect, BI WORLDWIDE

Read their story

Start your GitLab free trial

 !)

The benefits of GitLab

Ultimate for DevSecOps

Dev and Ops teams working together In this eBook, we hope you’ve learned about some of the core capabilities that
»! Everyone working in the same system help millions of users around the world to develop better applications faster:

»! Smart feedback loops »! Get started with GitLab, registration, creating a group and a project
»! No messy integrations or plugins »! Enable Auto DevOps - GitLab automatically configure the CI/CD for you,
based on years of experience and best practices from thousands of
customers
Get value to customers faster
»! Manually configuration of CI/CD with YAML
»! Issues addressed earlier
»! Add security scans and test automation
»! Fast cycle times
»! Deploy test environment on Kubernetes
»! Quality control
»! Review test results
Reduce security and compliance risk »! GitLab runners - the agents that run the jobs.
»! Every change is fully tested and secure
»! Audit logs for every action
»! Single sign-on and datastore

GitLab Ultimate provides Enterprise-grade priority support and embeds key Ready to see what DevSecOps
security controls directly into CI/CD pipelines, all from a single application. Dev, can do for your team?
sec, and ops collaborate in a single interface for maximum visibility across the
entire development lifecycle. Try GitLab free for 30 days
 !!

About GitLab
GitLab is a DevOps platform built from the ground up as a single application for
all stages of the DevOps lifecycle enabling product, development, QA, security,
and operations teams to work concurrently on the same project. GitLab
About the Author provides a single data store, one user interface, and one permission model
across the DevOps lifecycle. This allows teams to significantly reduce cycle
times through more efficient collaboration and enhanced focus.
Itzik Gan-Baruch is a veteran of
creating creative technical content
which bridges gaps between business Built on open source, GitLab works alongside its growing community, which is
and technology, and helps non-
technical users understand the value composed of thousands of developers and millions of users, to continuously
of technology. He creates software deliver new DevOps innovations. More than 100,000 organizations from startups
demo systems, demo tools, YouTube
videos, analysts demos, plans content to global enterprises, including Ticketmaster, Jaguar Land Rover, NASDAQ, Dish
for demo booths at tech shows, and
speaks at industry events. He is a
Network, and Comcast trust GitLab to deliver great software faster. All-remote
senior technical marketing manager at since 2014, GitLab has more than 1,300 team members in 68 countries.
GitLab with over 21 years of experience
in the IT industry focusing on
application delivery, agile and software
testing, and is a father of three.