Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours scrolling social media and waste money on things we forget, but won’t spend 30 minutes a day earning certifications that can change our lives.
Master in DevOps, SRE, DevSecOps & MLOps by DevOpsSchool!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

GitLab Secure Experience Guide SAST, DAST, SCA etc

Here’s a comprehensive, hands-on tutorial to help you explore and experience all the features listed under the Secure section of GitLab using a sample project.


šŸ” Full GitLab Secure Experience Guide (GitLab SaaS – Free or Ultimate Tier)

🧪 Sections Covered:

  1. Security Dashboard
  2. Vulnerability Report
  3. Dependency List
  4. Audit Events
  5. Compliance Center
  6. Policies
  7. On-Demand Scans
  8. Security Configuration

šŸ“¦ Sample Repo:

gitlab-examples/security-reports

https://gitlab.com/gitlab-examples/security

āœ… You’ll fork and run security pipelines on this to explore all Secure features.


šŸ› ļø Prerequisites

  • GitLab account (preferably Ultimate tier for all features)
  • Fork access to gitlab-examples/security-reports
  • CI/CD runners enabled (shared runners on GitLab.com are fine)
  • Enable container registry (if testing container scanning)

āœ… Step-by-Step Walkthrough

šŸ” STEP 1: Fork the Repo

  1. Visit gitlab-examples/security-reports
  2. Click Fork
  3. Choose your namespace or group

āš™ļø STEP 2: Enable Security Features

  1. Go to Secure → Security Configuration
  2. Enable each of the following (GitLab creates .gitlab-ci.yml snippets for you):
    • āœ… SAST
    • āœ… Dependency Scanning
    • āœ… Secret Detection
    • āœ… DAST (Needs a deployed URL)
    • āœ… Container Scanning (Requires Docker image build)
    • āœ… License Compliance
    • āœ… Coverage Fuzzing
    • āœ… API Fuzzing

šŸ’” Tip: Ensure CI/CD → General pipeline settings → Auto DevOps is disabled (to avoid conflicts with .gitlab-ci.yml).


ā–¶ļø STEP 3: Trigger the Pipeline

  1. Push a commit or go to CI/CD > Pipelines and click Run pipeline
  2. Wait for the full security pipeline to complete
  3. Each tool (SAST, DAST, etc.) generates artifacts GitLab uses in Secure dashboards

šŸ›”ļø STEP 4: Explore Secure Menu Options


āœ… 1. Security Dashboard

  • Navigate: Secure > Security Dashboard
  • See:
    • Open vulnerabilities by severity
    • Merge requests with unresolved issues
    • Projects under your namespace grouped by security posture

āœ… 2. Vulnerability Report

  • Navigate: Secure > Vulnerability Report
  • View all findings from your pipeline:
    • SAST, DAST, Container, Dependency scans
  • Use filters to sort by:
    • Severity
    • Scanner type
    • Status (detected, dismissed, resolved)

āœ… 3. Dependency List

  • Navigate: Secure > Dependency List
  • Shows a full tree of project dependencies (pulled from your package.json, pom.xml, etc.)
  • Any library with known vulnerabilities is flagged

āœ… 4. Audit Events

  • Navigate: Secure > Audit Events
  • Shows:
    • Group/project-level permission changes
    • Settings changes
    • Login attempts, pipeline trigger activity
  • Enterprise feature (requires Ultimate Tier)

āœ… 5. Compliance Center

  • Navigate: Secure > Compliance Center
  • Create compliance pipelines (separate from project pipelines)
  • Enforce MR approval rules
  • View audit compliance reports
  • Monitor adherence to internal policies

āœ… 6. Policies

  • Navigate: Secure > Policies
  • Types of policies:
    • Scan Execution Policies (e.g., always run secret detection)
    • Scan Result Policies (e.g., block merge if high vulnerability)
  • Click ā€œNew Policyā€
  • Use GUI to define:
    • Trigger condition
    • Actions (e.g., approve requirement, MR block)

āœ… 7. On-Demand Scans

  • Navigate: Secure > On-Demand Scans
  • Great for ad hoc DAST/API scans
  • Choose:
    • Target site URL (for DAST)
    • OpenAPI spec (for API fuzzing)
  • No CI/CD pipeline required

āœ… 8. Security Configuration

  • Navigate: Secure > Security Configuration
  • All tools toggled here
  • Edit variables, scan schedules, timeouts
  • Links to pipelines that used each security tool

šŸ”„ OPTIONAL: Enable Advanced Features

  1. Enable License Compliance
  2. Build & scan Docker images → View Container Scanning results
  3. Add intentionally vulnerable code/libraries to test deeper scanning

šŸ“Š STEP 5: Automate Reporting (Optional)

You can set up email reports or export results via API:


šŸ“š Learning Summary

By the end of this guide, you’ve:

āœ”ļø Enabled full suite of GitLab Secure features
āœ”ļø Explored each report and dashboard
āœ”ļø Configured On-Demand scans and Policies
āœ”ļø Seen real security results and recommendations


Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.

0
Would love your thoughts, please comment.x
()
x