Running Fixinator on GitLab
Want to Scan your CFML / ColdFusion code for security vulnerabilities with GitLab? Great, here's how:
- Go to your project page in GitLab
- Go to Settings and click on CI / CD then click Expand on Environment Variables. Add your
FIXINATOR_API_KEYvalue and turn on Protected (this prevents the key from being logged in the output). You can get an API key here. - Click the Set up CI/CD button (this is really just a shortcut for creating a file called
.gitlab-ci.yml) - Create the Build Script (see Example Build Script)
image: java:8
before_script:
- curl --location -o /tmp/box.zip https://www.ortussolutions.com/parent/download/commandbox/type/bin
- unzip /tmp/box.zip -d /tmp/
- chmod a+x /tmp/box
- /tmp/box install fixinator
fixinator:
script:
- /tmp/box fixinator path=. confidence=high
You can configure fixinator in your GitLab pipeline to output results in the SAST format, which GitLab understands as a security vulnerability. Here's an example:
To accomplish this we tell fixinator to write a report file which GitLab will pickup and process for us, here is an example pipeline:
image: java:8
before_script:
- curl --location -o /tmp/box.zip https://www.ortussolutions.com/parent/download/commandbox/type/bin
- unzip /tmp/box.zip -d ~/
- chmod a+x ~/box
- ~/box install fixinator
fixinator:
script:
- ~/box fixinator path=. confidence=low severity=low resultFormat=sast resultFile=fixinator-sast-report.json failOnIssues=false
artifacts:
paths:
- fixinator-sast-report.json
reports:
sast: fixinator-sast-report.json
Here is an example GitLab repository job result.
The
