Socket for Gitlab Pipeline

Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for your open source dependencies. It is easy to integrate Socket into your Gitlab Pipeline to provide an extra layer of security against Supply Chain Attacks.

Adding Socket to your pipeline

Create your Socket Environment variables

1. Create a Socket API Key (Directions)

2. Log into Gitlab

3. Navigate to your project

4. Go to Settings -> CI/CD

5. Expand Variables

   

6. Do Add Variable

   1. Tick the "Masked" radio button for "Visibility" option
   2. Check the "Expand variable reference" box for the "Flags" option
   3. For the "Key:" field, enter the name "SOCKET_SECURITY_API_KEY"
   4. For the "Value:" field, enter your <Socket API Token>

7. Next, to add another variable called "GITLAB_TOKEN" for your Gitlab Token that has access to the Project

   1. First, let’s go generate the gitlab project access token value
   2. Go to Setting -> Access tokens
   3. Click on “Add new token” button
      1. Give a “Token name”
      2. Optional, given a token description
      3. For the role select the scoping as required per permission needs:
         1. Personal Access Token
            • read/write API
         2. Group Access Tokens
            • Read Merge Requests Comments: Reporter
            • Write Merge Requests Comments: Developer
            • The Token needs to be granted access to the project or group
      4. Then click on “Create project access token” button
      5. You will need to make a copy of the generated project access token for the next step.
   4. Go back to the CI/CD -> Variables (Expand it) -> Click on “Add variable”
      1. Tick the “Masked” radio button for “Visibility” option
      2. Check the "Expand variable reference” box for the "Flags" option
      3. For the "Key:" field, enter the name "GITLAB_TOKEN"
      4. For the "Value:" field, paste the generated <project_access_token> here

8. Sample screenshot

   

Example Gitlab Pipeline Setup

1. Go to Build

2. Go to Pipeline Editor

3. Paste the following Pipeline Yaml, or integrate with your existing code

   yaml

   # Socket Security GitLab CI Pipeline
   # This pipeline runs Socket Security scans on every commit to any branch
   # The CLI automatically detects most information from the git repository
   
   stages:
     - security-scan
   
   socket-security:
     stage: security-scan
     image: socketdev/cli:latest
     
     # Run on all branches and merge requests
     rules:
       - if: $CI_PIPELINE_SOURCE == "push"
       - if: $CI_PIPELINE_SOURCE == "merge_request_event"
     
     variables:
       # These environment variables are automatically available in GitLab CI
       # and are used by the Socket CLI's GitLab SCM integration
       PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
     
     cache:
       paths:
         - .cache/pip/
     
     script:
       # Run Socket CLI with minimal required parameters
       # The CLI automatically detects:
       # - Repository name from git
       # - Branch name from git 
       # - Commit SHA from git (or CI_COMMIT_SHA)
       # - Commit message from git
       # - Committer information from git
       # - Default branch status from GitLab CI environment variables
       # - Changed files from git commit
       # - Merge request number from CI_MERGE_REQUEST_IID
       - |
         socketcli \
           --target-path $CI_PROJECT_DIR \
           --scm gitlab \
           --pr-number ${CI_MERGE_REQUEST_IID:-0}
     
     # Required for GitLab integration to work properly
     variables:
       SOCKET_SECURITY_API_KEY: $SOCKET_SECURITY_API_KEY
       GITLAB_TOKEN: $CI_JOB_TOKEN
   
   
   

4. Commit changes to your main branch or the current branch you are working on

Testing pipeline

1. Create a new branch

2. Modify or add a package.json

3. Create a new Merge request

4. Confirm that the Socket CI pipeline job ran

   

5. Confirm that for an unhealthy report a comment is left on the Merge request