OtherGitLab ComponentsDependency Risk Identification

Dependency Risk Identification

This workflow identifies potential security vulnerabilities in a project's dependencies. It requires a Software Bill of Materials (SBOM) as input to analyze and ensure that all dependencies are secure and up to date.

The dependency-risk-identification accepts the following inputs:

NameDescriptionRequiredDefault Value
api_urlThe DevGuard API URLNohttps://api.main.devguard.org
asset_nameName of the asset to scanYes
tokenAPI token for authenticating with DevGuardYes
scan_stageThe stage where the scan is runNotest
runner_tagsThe runner tags used to select appropriate CI runners.No""
sbom_fileThe SBOM file to use for the scanNotest
needsThe jobs that this job depends onNo""
dependenciesSpecifies the jobs whose artifacts this job relies onNo""
scanner_idThe ID of the scanner used to generate the SBOMNo"sbom-upload"

Usage Examples:

if you have the sbom in the repository:

include:
  - remote: "https://gitlab.com/l3montree/devguard/-/raw/main/templates/dependency-risk-identification@main"
    asset_name: "myOrgnaization/projects/myProject/assets/myAsset"
    token: "$DEVGUARD_TOKEN_TEST"
    sbom_file: "./sbom.json"
 

if you have the sbom in an artifact from a previous job:

variables:
  GIT_STRATEGY: clone
 
# generate an SBOM using trivy?
# use whatever scanner you like, this is just an example
generate-sbom:
  stage: build
  image: 
    name: docker.io/aquasec/trivy:latest
    entrypoint: [""]
  script:
    - trivy fs . --format cyclonedx --output sbom.json
  artifacts:
    paths:
      - sbom.json
    expire_in: 1 week
 
# upload the SBOM to DevGuard
include:
  - component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/dependency-risk-identification@$CI_COMMIT_SHA
    inputs:
      sbom_file: "sbom.json"
      asset_name: "$DEVGUARD_ASSET_NAME"
      token: "$DEVGUARD_TOKEN"
      needs: generate-sbom
      dependencies: generate-sbom
      scanner_id: "trivy-generate-sbom" # change to whatever scanner you are using