2021-01-29 00:20:46 +05:30
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/api_fuzzing/
# Configure the scanning tool through the environment variables.
# List of the variables: https://docs.gitlab.com/ee/user/application_security/api_fuzzing/#available-variables
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
2020-10-24 23:57:45 +05:30
stages :
- build
- test
- deploy
- fuzz
variables :
2021-06-08 01:23:25 +05:30
SECURE_ANALYZERS_PREFIX : "registry.gitlab.com/gitlab-org/security-products/analyzers"
2020-10-24 23:57:45 +05:30
FUZZAPI_PROFILE : Quick
2021-04-29 21:17:54 +05:30
FUZZAPI_VERSION : "1.6"
2021-01-29 00:20:46 +05:30
FUZZAPI_CONFIG : .gitlab-api-fuzzing.yml
2020-10-24 23:57:45 +05:30
FUZZAPI_TIMEOUT : 30
2021-02-22 17:27:13 +05:30
FUZZAPI_REPORT : gl-api-fuzzing-report.json
FUZZAPI_REPORT_ASSET_PATH : assets
2020-10-24 23:57:45 +05:30
#
FUZZAPI_D_NETWORK : testing-net
#
# Wait up to 5 minutes for API Fuzzer and target url to become
# available (non 500 response to HTTP(s))
FUZZAPI_SERVICE_START_TIMEOUT : "300"
#
2021-06-08 01:23:25 +05:30
FUZZAPI_IMAGE : ${SECURE_ANALYZERS_PREFIX}/api-fuzzing:${FUZZAPI_VERSION}
2021-01-29 00:20:46 +05:30
#
apifuzzer_fuzz_unlicensed :
stage : fuzz
allow_failure : true
rules :
- if : '$GITLAB_FEATURES !~ /\bapi_fuzzing\b/ && $API_FUZZING_DISABLED == null'
- when : never
script :
- |
echo "Error: Your GitLab project is not licensed for API Fuzzing."
- exit 1
2020-10-24 23:57:45 +05:30
apifuzzer_fuzz :
2021-01-29 00:20:46 +05:30
stage : fuzz
image :
name : $FUZZAPI_IMAGE
entrypoint : [ "/bin/bash" , "-l" , "-c" ]
variables :
FUZZAPI_PROJECT : $CI_PROJECT_PATH
2021-04-29 21:17:54 +05:30
FUZZAPI_API : http://localhost:5000
2021-02-22 17:27:13 +05:30
FUZZAPI_NEW_REPORT : 1
2021-04-17 20:07:23 +05:30
FUZZAPI_LOG_SCANNER : gl-apifuzzing-api-scanner.log
2021-01-29 00:20:46 +05:30
TZ : America/Los_Angeles
allow_failure : true
rules :
- if : $FUZZAPI_D_TARGET_IMAGE
when : never
- if : $FUZZAPI_D_WORKER_IMAGE
when : never
- if : $API_FUZZING_DISABLED
when : never
- if : $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
$CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
when : never
2021-02-22 17:27:13 +05:30
- if : $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bapi_fuzzing\b/
2021-01-29 00:20:46 +05:30
script :
#
# Validate options
- |
if [ "$FUZZAPI_HAR$FUZZAPI_OPENAPI$FUZZAPI_POSTMAN_COLLECTION" == "" ]; then \
echo "Error: One of FUZZAPI_HAR, FUZZAPI_OPENAPI, or FUZZAPI_POSTMAN_COLLECTION must be provided."; \
echo "See https://docs.gitlab.com/ee/user/application_security/api_fuzzing/ for information on how to configure API Fuzzing."; \
exit 1; \
fi
#
# Run user provided pre-script
- sh -c "$FUZZAPI_PRE_SCRIPT"
#
2021-02-22 17:27:13 +05:30
# Make sure asset path exists
- mkdir -p $FUZZAPI_REPORT_ASSET_PATH
#
2021-04-17 20:07:23 +05:30
# Start API Security background process
- dotnet /peach/Peach.Web.dll &> $FUZZAPI_LOG_SCANNER &
- APISEC_PID=$!
#
2021-01-29 00:20:46 +05:30
# Start scanning
- worker-entry
#
# Run user provided post-script
- sh -c "$FUZZAPI_POST_SCRIPT"
#
2021-04-17 20:07:23 +05:30
# Shutdown API Security
- kill $APISEC_PID
- wait $APISEC_PID
#
2021-01-29 00:20:46 +05:30
artifacts :
2021-02-22 17:27:13 +05:30
when : always
paths :
- $FUZZAPI_REPORT_ASSET_PATH
- $FUZZAPI_REPORT
2021-04-17 20:07:23 +05:30
- $FUZZAPI_LOG_SCANNER
2021-01-29 00:20:46 +05:30
reports :
2021-02-22 17:27:13 +05:30
api_fuzzing : $FUZZAPI_REPORT
2021-01-29 00:20:46 +05:30
apifuzzer_fuzz_dnd :
2020-10-24 23:57:45 +05:30
stage : fuzz
image : docker:19.03.12
variables :
DOCKER_DRIVER : overlay2
DOCKER_TLS_CERTDIR : ""
FUZZAPI_PROJECT : $CI_PROJECT_PATH
2021-04-29 21:17:54 +05:30
FUZZAPI_API : http://apifuzzer:5000
2020-10-24 23:57:45 +05:30
allow_failure : true
rules :
2021-01-29 00:20:46 +05:30
- if : $FUZZAPI_D_TARGET_IMAGE == null && $FUZZAPI_D_WORKER_IMAGE == null
when : never
2020-10-24 23:57:45 +05:30
- if : $API_FUZZING_DISABLED
when : never
- if : $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
2021-01-29 00:20:46 +05:30
$CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
2020-10-24 23:57:45 +05:30
when : never
2021-02-22 17:27:13 +05:30
- if : $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bapi_fuzzing\b/
2020-10-24 23:57:45 +05:30
services :
- docker:19.03.12-dind
script :
2021-01-29 00:20:46 +05:30
#
2020-10-24 23:57:45 +05:30
#
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
#
- docker network create --driver bridge $FUZZAPI_D_NETWORK
#
# Run user provided pre-script
- sh -c "$FUZZAPI_PRE_SCRIPT"
#
2021-02-22 17:27:13 +05:30
# Make sure asset path exists
- mkdir -p $FUZZAPI_REPORT_ASSET_PATH
#
2020-10-24 23:57:45 +05:30
# Start peach testing engine container
- |
docker run -d \
--name apifuzzer \
--network $FUZZAPI_D_NETWORK \
-e Proxy:Port=8000 \
-e TZ=America/Los_Angeles \
-e GITLAB_FEATURES \
-p 80:80 \
2021-04-29 21:17:54 +05:30
-p 5000:5000 \
2020-10-24 23:57:45 +05:30
-p 8000:8000 \
-p 514:514 \
--restart=no \
2021-01-29 00:20:46 +05:30
$FUZZAPI_IMAGE \
dotnet /peach/Peach.Web.dll
2020-10-24 23:57:45 +05:30
#
# Start target container
- |
if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then \
docker run -d \
--name target \
--network $FUZZAPI_D_NETWORK \
$FUZZAPI_D_TARGET_ENV \
$FUZZAPI_D_TARGET_PORTS \
$FUZZAPI_D_TARGET_VOLUME \
--restart=no \
$FUZZAPI_D_TARGET_IMAGE \
; fi
#
2021-01-29 00:20:46 +05:30
# Start worker container if provided
2020-10-24 23:57:45 +05:30
- |
if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then \
2021-01-29 00:20:46 +05:30
echo "Starting worker image $FUZZAPI_D_WORKER_IMAGE"; \
2020-10-24 23:57:45 +05:30
docker run \
--name worker \
--network $FUZZAPI_D_NETWORK \
2021-04-29 21:17:54 +05:30
-e FUZZAPI_API=http://apifuzzer:5000 \
2020-10-24 23:57:45 +05:30
-e FUZZAPI_PROJECT \
-e FUZZAPI_PROFILE \
-e FUZZAPI_CONFIG \
-e FUZZAPI_REPORT \
2021-02-22 17:27:13 +05:30
-e FUZZAPI_REPORT_ASSET_PATH \
-e FUZZAPI_NEW_REPORT=1 \
2021-01-29 00:20:46 +05:30
-e FUZZAPI_HAR \
-e FUZZAPI_OPENAPI \
-e FUZZAPI_POSTMAN_COLLECTION \
2021-04-17 20:07:23 +05:30
-e FUZZAPI_POSTMAN_COLLECTION_VARIABLES \
2021-01-29 00:20:46 +05:30
-e FUZZAPI_TARGET_URL \
-e FUZZAPI_OVERRIDES_FILE \
-e FUZZAPI_OVERRIDES_ENV \
-e FUZZAPI_OVERRIDES_CMD \
-e FUZZAPI_OVERRIDES_INTERVAL \
-e FUZZAPI_TIMEOUT \
-e FUZZAPI_VERBOSE \
-e FUZZAPI_SERVICE_START_TIMEOUT \
-e FUZZAPI_HTTP_USERNAME \
-e FUZZAPI_HTTP_PASSWORD \
2021-02-22 17:27:13 +05:30
-e CI_PROJECT_URL \
-e CI_JOB_ID \
2020-10-24 23:57:45 +05:30
-e CI_COMMIT_BRANCH=${CI_COMMIT_BRANCH} \
$FUZZAPI_D_WORKER_ENV \
$FUZZAPI_D_WORKER_PORTS \
$FUZZAPI_D_WORKER_VOLUME \
--restart=no \
$FUZZAPI_D_WORKER_IMAGE \
; fi
#
2021-01-29 00:20:46 +05:30
# Start API Fuzzing provided worker if no other worker present
- |
if [ "$FUZZAPI_D_WORKER_IMAGE" == "" ]; then \
if [ "$FUZZAPI_HAR$FUZZAPI_OPENAPI$FUZZAPI_POSTMAN_COLLECTION" == "" ]; then \
echo "Error: One of FUZZAPI_HAR, FUZZAPI_OPENAPI, or FUZZAPI_POSTMAN_COLLECTION must be provided."; \
echo "See https://docs.gitlab.com/ee/user/application_security/api_fuzzing/ for information on how to configure API Fuzzing."; \
exit 1; \
fi; \
docker run \
--name worker \
--network $FUZZAPI_D_NETWORK \
-e TZ=America/Los_Angeles \
2021-04-29 21:17:54 +05:30
-e FUZZAPI_API=http://apifuzzer:5000 \
2021-01-29 00:20:46 +05:30
-e FUZZAPI_PROJECT \
-e FUZZAPI_PROFILE \
-e FUZZAPI_CONFIG \
-e FUZZAPI_REPORT \
2021-02-22 17:27:13 +05:30
-e FUZZAPI_REPORT_ASSET_PATH \
-e FUZZAPI_NEW_REPORT=1 \
2021-01-29 00:20:46 +05:30
-e FUZZAPI_HAR \
-e FUZZAPI_OPENAPI \
-e FUZZAPI_POSTMAN_COLLECTION \
2021-04-17 20:07:23 +05:30
-e FUZZAPI_POSTMAN_COLLECTION_VARIABLES \
2021-01-29 00:20:46 +05:30
-e FUZZAPI_TARGET_URL \
-e FUZZAPI_OVERRIDES_FILE \
-e FUZZAPI_OVERRIDES_ENV \
-e FUZZAPI_OVERRIDES_CMD \
-e FUZZAPI_OVERRIDES_INTERVAL \
-e FUZZAPI_TIMEOUT \
-e FUZZAPI_VERBOSE \
-e FUZZAPI_SERVICE_START_TIMEOUT \
-e FUZZAPI_HTTP_USERNAME \
-e FUZZAPI_HTTP_PASSWORD \
2021-02-22 17:27:13 +05:30
-e CI_PROJECT_URL \
-e CI_JOB_ID \
2021-01-29 00:20:46 +05:30
-v $CI_PROJECT_DIR:/app \
2021-02-22 17:27:13 +05:30
-v `pwd`/$FUZZAPI_REPORT_ASSET_PATH:/app/$FUZZAPI_REPORT_ASSET_PATH:rw \
2021-01-29 00:20:46 +05:30
-p 81:80 \
2021-04-29 21:17:54 +05:30
-p 5001:5000 \
2021-01-29 00:20:46 +05:30
-p 8001:8000 \
-p 515:514 \
--restart=no \
$FUZZAPI_IMAGE \
worker-entry \
; fi
2020-10-24 23:57:45 +05:30
#
2021-01-29 00:20:46 +05:30
# Propagate exit code from api fuzzing scanner (if any)
- if [[ $(docker inspect apifuzzer --format='{{.State.ExitCode}}') != "0" ]]; then echo "API Fuzzing scanner exited with an error. Logs are available as job artifacts."; exit 1; fi
2020-11-24 15:15:51 +05:30
#
2021-01-29 00:20:46 +05:30
# Run user provided post-script
2020-10-24 23:57:45 +05:30
- sh -c "$FUZZAPI_POST_SCRIPT"
#
after_script :
#
# Shutdown all containers
- echo "Stopping all containers"
- if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker stop target; fi
2021-01-29 00:20:46 +05:30
- docker stop worker
2020-10-24 23:57:45 +05:30
- docker stop apifuzzer
#
# Save docker logs
- docker logs apifuzzer &> gl-api_fuzzing-logs.log
- if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker logs target &> gl-api_fuzzing-target-logs.log; fi
2021-01-29 00:20:46 +05:30
- docker logs worker &> gl-api_fuzzing-worker-logs.log
2020-10-24 23:57:45 +05:30
#
artifacts :
when : always
paths :
- ./gl-api_fuzzing*.log
- ./gl-api_fuzzing*.zip
2021-02-22 17:27:13 +05:30
- $FUZZAPI_REPORT_ASSET_PATH
- $FUZZAPI_REPORT
2020-10-24 23:57:45 +05:30
reports :
2021-02-22 17:27:13 +05:30
api_fuzzing : $FUZZAPI_REPORT
2020-10-24 23:57:45 +05:30
# end