Skip to content

Draft: Add dependency review automation

Nikhil George requested to merge enable_dependency_check into master

What does this MR do and why?

This MR adds the Dependency review automation to GitLab pipeline. The aim of the automation is to

  • a) Identify non-maintained and untrusted dependency while they are added to code base
  • b) Assist Appsec dependency review process.

This automation adds a comment in the MR with dependency metadata and ping appsec to new dependency introduced in the MR. This automation currently check for new ruby gems.

Steps to add Dependency review automation to Gitlab project CI.

  • 1. Add a new CI job to run the automation in MR pipeline when there is change in Dependency files.
dependency_check:
  stage: test
  image: docker:20.10.16
  services:
    - docker:20.10.16-dind
  before_script:
    - apk add jq curl
    - DEPENDENCY_REVIEW_BOT_UNAME=$(curl --header "PRIVATE-TOKEN:$DEPENDENCY_REVIEW_PAT" "https://gitlab.com/api/v4/user" | jq -r '.username')
    - DEPENDENCY_REVIEW_BOT_CI_REG="registry.gitlab.com/gitlab-com/gl-security/appsec/tooling/depscore/master"
    - echo "$DEPENDENCY_REVIEW_PAT" | docker login --password-stdin -u "$DEPENDENCY_REVIEW_BOT_UNAME" -- "$DEPENDENCY_REVIEW_BOT_CI_REG"
  only:
    - merge_requests
  script:
    - docker run  --interactive --rm $DEPENDENCY_REVIEW_BOT_CI_REG:latest -t $DEPENDENCY_REVIEW_PAT -p $CI_PROJECT_ID -m $CI_MERGE_REQUEST_IID
  • 2. Create a Project token in https://gitlab.com/gitlab-com/gl-security/appsec/tooling/depscore with scope api and role Reporter (Guest can't pull image from private project) The automation lives in this private project and so the docker image is not reachable without authentication.
  • 3. Add the Project token to 1Password > GitLab-QA > Dependency Review Automation
  • 4. Add the project token in 1Password > GitLab-QA > Dependency Review Automation as DEPENDENCY_REVIEW_PAT CI/CD variable.
  • 5. Add a new ruby dependency in this MR to verify the automation works.
    • 6. A comment should be generated with dependency metadata.
    • 7. Comment pings appsec
    • 8. Comment have links to feedback issue.
  • 9. Remove the test ruby dependency and finalize the MR.
  • 10. Ping @vdesousa to notify the MR is ready for approval.

Close https://gitlab.com/gitlab-com/gl-security/appsec/tooling/depscore/-/issues/22

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Nikhil George

Merge request reports