Socket for Gitlab Pipeline

Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for your open source dependencies. It is easy to integrate Socket into your Gitlab Pipeline to provide an extra layer of security against Supply Chain Attacks.

Adding Socket to your pipeline

Create your Socket Environment variables

  1. Create a Socket API Key (Directions)

  2. Log into Gitlab

  3. Navigate to your project

  4. Go to Settings -> CI/CD

  5. Expand Variables

  6. Do Add Variable

    1. Tick the "Masked" radio button for "Visibility" option
    2. Check the "Expand variable reference" box for the "Flags" option
    3. For the "Key:" field, enter the name "SOCKET_SECURITY_API_KEY"
    4. For the "Value:" field, enter your <Socket API Token>
  7. Next, to add another variable called "GITLAB_TOKEN" for your Gitlab Token that has access to the Project

    1. First, let’s go generate the gitlab project access token value
    2. Go to Setting -> Access tokens
    3. Click on “Add new token” button
      1. Give a “Token name
      2. Optional, given a token description
      3. For the role select the scoping as required per permission needs:
        1. Personal Access Token
          • read/write API
        2. Group Access Tokens
          • Read Merge Requests Comments: Reporter
          • Write Merge Requests Comments: Developer
          • The Token needs to be granted access to the project or group
      4. Then click on “Create project access token” button
      5. You will need to make a copy of the generated project access token for the next step.
    4. Go back to the CI/CD -> Variables (Expand it) -> Click on “Add variable
      1. Tick the “Masked” radio button for “Visibility” option
      2. Check the "Expand variable reference” box for the "Flags" option
      3. For the "Key:" field, enter the name "GITLAB_TOKEN"
      4. For the "Value:" field, paste the generated <project_access_token> here
  8. Sample screenshot

Example Gitlab Pipeline Setup

  1. Go to Build

  2. Go to Pipeline Editor

  3. Paste the following Pipeline Yaml, or integrate with your existing code

    # Socket Security GitLab CI Pipeline
    # This pipeline runs Socket Security scans on every commit to any branch
    # The CLI automatically detects most information from the git repository
    
    stages:
      - security-scan
    
    socket-security:
      stage: security-scan
      image: socketdev/cli:latest
      
      # Run on all branches and merge requests
      rules:
        - if: $CI_PIPELINE_SOURCE == "push"
        - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      
      variables:
        # These environment variables are automatically available in GitLab CI
        # and are used by the Socket CLI's GitLab SCM integration
        PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
      
      cache:
        paths:
          - .cache/pip/
      
      script:
        # Run Socket CLI with minimal required parameters
        # The CLI automatically detects:
        # - Repository name from git
        # - Branch name from git 
        # - Commit SHA from git (or CI_COMMIT_SHA)
        # - Commit message from git
        # - Committer information from git
        # - Default branch status from GitLab CI environment variables
        # - Changed files from git commit
        # - Merge request number from CI_MERGE_REQUEST_IID
        - |
          socketcli \
            --target-path $CI_PROJECT_DIR \
            --scm gitlab \
            --pr-number ${CI_MERGE_REQUEST_IID:-0}
      
      # Required for GitLab integration to work properly
      variables:
        SOCKET_SECURITY_API_KEY: $SOCKET_SECURITY_API_KEY
        GITLAB_TOKEN: $CI_JOB_TOKEN
    
    
    
  4. Commit changes to your main branch or the current branch you are working on

Testing pipeline

  1. Create a new branch

  2. Modify or add a package.json

  3. Create a new Merge request

  4. Confirm that the Socket CI pipeline job ran

  5. Confirm that for an unhealthy report a comment is left on the Merge request


What’s Next

That's it! You're all done now any time there is an update to your manifest file the Socket CI will automatically run. You can update the criteria to add more things like requirements.txt or other lock files.