stages: - build - test - deploy - fuzz variables: FUZZAPI_PROFILE: Quick FUZZAPI_VERSION: latest FUZZAPI_CONFIG: "/app/.gitlab-api-fuzzing.yml" FUZZAPI_TIMEOUT: 30 FUZZAPI_REPORT: gl-api-fuzzing-report.xml # FUZZAPI_D_NETWORK: testing-net # # Wait up to 5 minutes for API Fuzzer and target url to become # available (non 500 response to HTTP(s)) FUZZAPI_SERVICE_START_TIMEOUT: "300" # apifuzzer_fuzz: stage: fuzz image: docker:19.03.12 variables: DOCKER_DRIVER: overlay2 DOCKER_TLS_CERTDIR: "" FUZZAPI_PROJECT: $CI_PROJECT_PATH FUZZAPI_API: http://apifuzzer:80 allow_failure: true rules: - if: $API_FUZZING_DISABLED when: never - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH && $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME when: never - if: $FUZZAPI_HAR == null && $FUZZAPI_OPENAPI == null && $FUZZAPI_D_WORKER_IMAGE == null when: never - if: $FUZZAPI_D_WORKER_IMAGE == null && $FUZZAPI_TARGET_URL == null when: never - if: $GITLAB_FEATURES =~ /\bapi_fuzzing\b/ services: - docker:19.03.12-dind script: # - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY # - docker network create --driver bridge $FUZZAPI_D_NETWORK # # Run user provided pre-script - sh -c "$FUZZAPI_PRE_SCRIPT" # # Start peach testing engine container - | docker run -d \ --name apifuzzer \ --network $FUZZAPI_D_NETWORK \ -e Proxy:Port=8000 \ -e TZ=America/Los_Angeles \ -e FUZZAPI_API=http://127.0.0.1:80 \ -e FUZZAPI_PROJECT \ -e FUZZAPI_PROFILE \ -e FUZZAPI_CONFIG \ -e FUZZAPI_REPORT \ -e FUZZAPI_HAR \ -e FUZZAPI_OPENAPI \ -e FUZZAPI_TARGET_URL \ -e FUZZAPI_OVERRIDES_FILE \ -e FUZZAPI_OVERRIDES_ENV \ -e FUZZAPI_OVERRIDES_CMD \ -e FUZZAPI_OVERRIDES_INTERVAL \ -e FUZZAPI_TIMEOUT \ -e FUZZAPI_VERBOSE \ -e FUZZAPI_SERVICE_START_TIMEOUT \ -e GITLAB_FEATURES \ -v $CI_PROJECT_DIR:/app \ -p 80:80 \ -p 8000:8000 \ -p 514:514 \ --restart=no \ registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing-src:${FUZZAPI_VERSION}-engine # # Start target container - | if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then \ docker run -d \ --name target \ --network $FUZZAPI_D_NETWORK \ $FUZZAPI_D_TARGET_ENV \ $FUZZAPI_D_TARGET_PORTS \ $FUZZAPI_D_TARGET_VOLUME \ --restart=no \ $FUZZAPI_D_TARGET_IMAGE \ ; fi # # Start worker container - | if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then \ echo "Starting worker image $FUZZAPI_D_WORKER_IMAGE" \ docker run \ --name worker \ --network $FUZZAPI_D_NETWORK \ -e FUZZAPI_API=http://apifuzzer:80 \ -e FUZZAPI_PROJECT \ -e FUZZAPI_PROFILE \ -e FUZZAPI_AUTOMATION_CMD \ -e FUZZAPI_CONFIG \ -e FUZZAPI_REPORT \ -e CI_COMMIT_BRANCH=${CI_COMMIT_BRANCH} \ $FUZZAPI_D_WORKER_ENV \ $FUZZAPI_D_WORKER_PORTS \ $FUZZAPI_D_WORKER_VOLUME \ --restart=no \ $FUZZAPI_D_WORKER_IMAGE \ ; fi # # Wait for testing to complete if api fuzzer is scanning - if [ "$FUZZAPI_HAR$FUZZAPI_OPENAPI" != "" ]; then echo "Waiting for API Fuzzer to exit"; docker wait apifuzzer; fi # # Run user provided pre-script - sh -c "$FUZZAPI_POST_SCRIPT" # after_script: # # Shutdown all containers - echo "Stopping all containers" - if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker stop target; fi - if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then docker stop worker; fi - docker stop apifuzzer # # Save docker logs - docker logs apifuzzer &> gl-api_fuzzing-logs.log - if [ "$FUZZAPI_D_TARGET_IMAGE" != "" ]; then docker logs target &> gl-api_fuzzing-target-logs.log; fi - if [ "$FUZZAPI_D_WORKER_IMAGE" != "" ]; then docker logs worker &> gl-api_fuzzing-worker-logs.log; fi # artifacts: when: always paths: - ./gl-api_fuzzing*.log - ./gl-api_fuzzing*.zip reports: junit: $FUZZAPI_REPORT # end