Use an On-Premises Code Scanner to Scan GitLab Server IaCs

You can connect your GitLab repositories to an on-premises code scanner and scan your code for violations. Perform the following tasks to connect your GitLab repositories to an on-premises scanner:

  1. Create an OAuth Application in GitLab Server.

  2. Authorize the on-premise code scanner to access the GitLab Enterprise Server.

  3. Connect an IaC from GitLab Server to Tenable Cloud Security project.

  1. Sign in to the GitLab Server console with admin level account credentials.

  2. To create an Application on the GitLab Server, go to Preferences > Applications.

  3. On the Add new application page, create an application with the following configuration:

    1. Specify a name for the application.

    2. Select Confidential to use the application where the client secret can remain confidential.

    3. In the Scopes section, select:

      • api – to grant read/write access to the API.

      • read_repository – to grant read-only access to repositories on private projects.

    4. Open the application that you created.

    5. Note down the Application ID, Secret, and the Authorization callback URL: http(s)://<on-premise_code_scanner_host_fqdn>.com:9020/v1/auth/oauth/gitlab/callback

      Where:

      • on-premise_code_scanner_host_fqdn is the fully qualified domain name of the on-premise code scanner.

  1. Launch the URL displayed in the output of the on-premise code scanner deployment. For more information, see Deploy an On-Premises Code Scanner.

    The On Premise Scanner Management Console page appears. In the On Premise Scanner Management Console page, you can authorize the on-premise code scanner with different Source Code Management (SCM) providers.

  2. In the Configure servers section, provide the following:

    • In the Repository Server Address box, type the repository server address.

    • In the On-premise code scanner address (use port:9020) box, type the code scanner address.

  3. Click Continue.

    The Configure cloud (Optional) section appears.

  4. (Optional) In the Select cloud provider drop-down box, select one of the following options:

      1. In the AWS Access Key box, type the AWS access key.

      2. In the AWS Secret Key box, type the AWS secret key.

      • Click Upload to upload your service account credentials file.

      1. In the Azure Client ID box, type the Azure client ID.

      2. In the Azure Tenant ID box, type the Azure tenant ID.

      3. In the Azure Subscription ID box, type the Azure subscription ID.

      4. In the Azure Client Secret box, type the Azure client secret.

    Note: The on-premise code scanner requires your cloud account details when you enable Plan based setup to scan your repositories. For more information, see Connect Repositories.
  5. Click Continue.

    The Setup authentication section appears.

  6. In the Select repository server drop-down box, select GitLab.
    Tenable Cloud Security displays an information form for GitLab.

  7. Provide the following:

    1. In the Client ID box, type the client ID.

    2. In the Client Secret box, type the client secret.

      Note: For information about how to obtain Client ID and Client Secret, see To create an OAuth Application in GitLab Server:

    3. Click Submit.

  8. (Optional) In the Other Settings section, click the Allow on-premise code scanner to send logs to Tenable Cloud Security toggle.

Tenable Cloud Security redirects you to the GitLab Enterprise server to authorize the permissions on the OAuth Application. A message confirms successful authorization and GitLab redirects you to the On-premise code scanner page.

  1. Access Tenable Cloud Security.

  2. In the left navigation bar, click the icon.

  3. Click Connection > Repository.
    The Connect to repository page appears.

  4. In the Choose a workflow to discover repo(s) section, select Version control.
  5. Click Continue.

    The Connect to a version control provider section appears.

  6. In the Connect to a version control provider section, select GitLab and On-Premise Code Scanner.

  7. Click Continue.

    The Choose onboarding repositories section appears.

  8. Select the required repository.

  9. Hover over the selected repository and click to configure the advanced settings.

    For more information, see Repository Configuration Parameters.

  10. Click Continue.

    The Choose projects to add the repository to section appears.

  11. Select the project that you want to connect to the repository.

  12. Click Connect.

    A message confirms that Tenable Cloud Security connected the GitLab IaC repository to the selected project.