Gitlab Integration
      Back to home
      1. RapidFort SASM Platform Documentation
      2. Installation & Configuration
      3. Gitlab Integration

      Integrate RapidFort with GitLab CI/CD Pipeline

      Prerequisites

       
      Before getting started, make a note of your RapidFort host.
      • On-Premises: IP address of your RapidFort EC2 instance
      • SaaS: api.rapidfort.com
      Install the RapidFort CLI Tools
      First, verify that your GitLab runner meets the minimum requirements for installing the RapidFort CLI tools.
      Install the RapidFort CLI tools on the GitLab runner. For example, you can add the following code to your .gitlab-ci.yml file:
       
      script:
          - |
            # Install the RapidFort CLI tools only if they are not already installed
            if test -x "$(command -v rflogin)" ; then
                # Verify HTTPS connectivity to the RapidFort host before installation
                timeout 15 nc -vz <rapidfort_host> 443
                # Download and install the RapidFort CLI tools
                curl -ks https://<rapidfort_host>/cli/ | bash
            fi

       

      Generate a RapidFort Access Key

      Next, generate a RapidFort access key and update the GitLab runner. Refer to

      The GitLab runner can now log into RapidFort with rflogin, which will use the cached credentials. This eliminates the need to specify an email address and password. 

       

      The GitLab runner can also log into RapidFort by running rflogin with an email address and password:
      rflogin <email_address> <password>
      We do not recommend running this within your GitLab pipeline since your password will be exposed in the GitLab logs.
       

      GitLab Pipeline Integration

      Generate Stub Images

      Update your build stage with the following:
      • Run rflogin to log into RapidFort
      • Run rfstub to generate a stub image
      • Push the stub image to your registry
       rfstub:
        stage: build
        script:
          - |
            # Log into RapidFort
            rflogin
            # Generate a stub image
            rfstub <docker_image:tag>
            # Push the stub image to your registry
            docker push <docker_image:tag>-rfstub
      By default, rfstub will append -rfstub to the original image tags when generating a stub image. For example:
      •  Original Image: example.com/my-repository:v1.2.3-20211020
      •  Stub Image: example.com/my-repository:v1.2.3-20211020-rfstub
       

      Test Your Stub Images

      Update your test stages to run and test your stub images. This enables RapidFort to profile your containers at runtime.
       Running stub images requires adding one or more Linux kernel capabilities.

      AWS Fargate

      Update your AWS Fargate task definition to test your stub image (<docker_image:tags>-rfstub) and add the SYS_PTRACE capability to the linuxParameters section:
      "linuxParameters" : {
          "capabilities" : {
              "add" : ["SYS_PTRACE"],
              "drop" : null
          }
      }
      Generate Hardened Images
      Update your harden stage with the following:
      • Run rflogin to log into RapidFort
      • Run rfharden to generate a hardened image
      • Push the hardened image to your registry
       rfharden:
        stage: harden
        script:
          - |
            # Log into RapidFort
            rflogin
            # Generate a hardened image from the stub image
            rfharden <docker_image:tag>-rfstub
            # Push the hardened image to your registry
            docker push <docker_image:tag>-rfhardened
      By default, rfharden will append -rfhardened to the original image name when generating a hardened image. For example:
      •  Original Image: example.com/my-repository:v1.2.3-20211020
      •  Hardened Image: example.com/my-repository:v1.2.3-20211020-rfhardened