Bring DevSecOps to the cloud with Bridgecrew for GitLab

As one of the biggest proponents of DevSecOps, GitLab is a shining example of how to build security into developers’ day-to-day workflows. GitLab both empowers developers to include built-in code scanning into commits and integrates with a variety of third-party DevOps and security tools.

At Bridgecrew, we’re proud to integrate throughout the GitLab ecosystem to extend its native capabilities and bridge the divide between DevOps and cloud security.

By leveraging Bridgecrew’s GitLab.com and GitLab self-managed integrations as well as our GitLab Runner integration, you can seamlessly embed infrastructure as code (IaC) scanning into your merge requests and automated build pipelines.

“Strengthening the cloud DevSecOps journey is key to helping teams address cloud risk more efficiently and proactively. Bringing cloud security into the hands of GitLab customers through Bridgecrew’s infrastructure as code scanning is a huge win.”

— Pete Goldberg, Director of Partnerships at GitLab

With support for Terraform, CloudFormation, Azure Resource Manager (ARM), and others, Bridgecrew brings robust IaC security and compliance coverage to any GitLab workflow.

Automated IaC scanning with Bridgecrew for GitLab

Continuous IaC scanning is essential to catching errors at each step of the development lifecycle. Bridgecrew supports two major paths for integrating continuous IaC scanning into your GitLab workflow—on merge requests and via GitLab Runner.

Merge request integration

Head to the Bridgecrew Integrations tab, authenticate your GitLab account, and select all the repositories you’d like to scan with Bridgecrew.

Note: Integrating with GitLab self-managed instances with either IP-based network access or with built-in firewalls requires some additional configuration.

With Bridgecrew connected to your GitLab repositories, you will be able to run scans on new merge requests so that feedback can be addressed on new branches before they’re deployed. If misconfigurations are identified, they will be reported as merge request comments.

As you can see in the image above, the introduced change violates an AWS S3 security policy that checks for data encryption at rest. In addition to providing the with high-level details such as the policy violated, category, severity, and resources impacted, comments also link to in-depth guidelines in the Bridgecrew platform.

GitLab Runner integration

To get Bridgecrew scanning as part of your automated CI/CD pipeline, Bridgecrew integrates with GitLab Runner which is used in conjunction with GitLab CI/CD to coordinate jobs.

You’ll first need to retrieve your Bridgecrew API Token from the Integrations tab and save it as a GitLab environment variable named BC_API_KEY. Next, add a new job in the gitlab-ci.yml file in your repository as part of whichever stage is appropriate for you, such as:

stages:
- validate

bridgecrew:
    image:
        name: bridgecrew/bridgecrew:latest
        entrypoint:
            - '/usr/bin/env'
            - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
    stage: validate
    variables:
        BC_SOURCE: "gitlab_pipeline"
    script:
        - bridgecrew -d . --bc-api-key $BC_API_KEY --repo-id $CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME --branch $CI_COMMIT_REF_NAME -s
        - bridgecrew -d . -o junitxml > bridgecrew.xml
    artifacts:
        paths:
            - bridgecrew.xml
        reports:
            junit: bridgecrew.xml

In the example above, Bridgecrew will be triggered by the GitLab Runner in the validate stage and will send the results back to GitLab for review. Optionally, you can also set up your job to fail the build whenever policy violations are identified.

At whichever stage you integrate it, Bridgecrew is built to take a proactive and automated approach to enforcing security and compliance policies.

Security-as-code fixes with GitLab merge requests

Bridgecrew takes DevSecOps a step further by providing not only insight into identified errors, but security-as-code fixes as well.

When you select Fix on any error’s associated resource or multiple resources, Bridgecrew will automatically create a merge request with the corrected configuration.

By shifting infrastructure policy enforcement earlier in the DevOps lifecycle, you not only prevent risky deployments, but save your development teams time chasing down errors in production. When used in tandem with monitoring of cloud resources in runtime, cloud DevSecOps with Bridgecrew empowers teams to remediate existing issues at the source and prevent new issues from being introduced.

Stay tuned for our upcoming webinar on leveraging DevSecOps in the cloud with AWS, GitLab, and AWS.