GitLab SAST: How to use GitLab With Klocwork
GitLab is an integrated solution that covers the entire DevOps lifecycle. And, Klocwork is a static code analyzer that has been designed to optimize DevSecOps processes, like CI/CD Pipelines. When used together, these tools provide software development teams with a powerful GitLab SAST solution. Here we explain the benefits of GitLab SAST.
What Is GitLab?
GitLab is a web-based DevOps lifecycle tool that provides a Git-repository manager for wiki, issue-tracking, and CI/CD Pipeline features. It was developed by Gitlab Inc. and released in 2011.
Software development teams have used GitLab to unite their developers’ workflows and shorten DevOps cycle times — enabling them to produce higher-quality software.
GitLab is used by software development teams from a variety of industries, including aerospace and defense, automotive, medical device, and video game development.
GitLab SAST: Why GitLab Users Should Use Klocwork
GitLab is a popular DevOps lifecycle tool because it shortens cycle time, reduces engineering risk, helps to ensure more secure applications, and bridges silos and stages. So it makes sense that many developers also use the static code analyzer Klocwork to complement GitLab.
GitLab SAST: How Klocwork Complements GitLab
Using system context data from the server, Klocwork is able to analyze only the files that have changed while also providing Differential Analysis results as if the entire system had been analyzed. This provides you with the shortest possible analysis times of new and changed code.
Using system context data from the server, Klocwork is able to provide a snapshot of the current health of your software project. After each Integrated Analysis, Klocwork will provide a list of detected coding issues along with other reports on your code. By regularly running Integrated Analysis, you are able to improve code quality and ensure uniformity across your codebase.
GitLab SAST: How to Use GitLab With Klocwork
There are many ways to integrate Klocwork’s static analysis tools within a continuous integration system such as GitLab, as Klocwork provides a command-line interface and flexible tooling to fit most workflows. Suggested here is one example of how Klocwork can be integrated into a DevSecOps workflow, using developer feature branches.
The designed workflow shows a simplified version of developers creating their own feature branches to develop new features or resolve known defects. Once the new feature or bug has been resolved the code is merged into the main branch ready for release.
With Klocwork’s tools, you can create a baseline of the known issues within the codebase using the Integration Analysis tool. These results then become viewable to all via the web portal and can be deferred to a later date or assigned to be fixed. This integration analysis also provides the full project context and existing issue data that the differential analysis utilizes.
Herewith the Differential Analysis it is now possible to check on the server-side if the developers commit includes new defects and that should the branch be merged would add technical debt to the project.
It is then configurable to provide feedback via GitLab to the developer that their commit contains new defects as they develop and fail pull requests based on quality gate criteria such as no new defects.
Here's how to setup GitLab SAST:
1. Install GitLab
First, you’ll need to install GitLab. If you’ve already done this, skip to the next step.
To install GitLab:
- Go to about.gitlab.com and click install GitLab.
- Select your preferred GitLab Omnibus package.
- Install and configure the necessary dependencies.
- Add the GitLab package repository and install the package.
- Browse to the hostname and login.
- Set up your communication preferences.
- Launch GitLab.
2. Install Klocwork
Next, you’ll download Klocwork.
If you’re not using Klocwork yet, get started here >>
If you’re already a Klocwork user, download the latest version here >>
3. Configure GitLab Runners
A runner needs configuring where the Klocwork analysis will take place, either by connecting to an existing machine via ssh or by configuring a docker image with Klocwork.
Klocwork provides analysis tool packages for the differential and integration analysis, which means it is simple to deploy to a machine by copying it over and extracting.
The runner should be configured with a tag to identify the runner is capable of a Klocwork analysis, this can then be utilized in the job steps. In these examples, the tag ‘klocwork’ has been used.
4. Klocwork Integration Analysis
This provides the baseline of existing issues, full project context, web portal overview of health, and trending. It is the backbone of the Klocwork analysis and for this example, we will configure it to run only on commits to the master branch, which given the workflow should be coming from pull requests.
Editing the “.gitlab-ci.yml” for the project:
Introducing variables into the file for the Klocwork server and project that this relates to will simplify the configuration.
The Integration Analysis is command-line based, here it has been filtered to only run on the master branch as part of the testing phase. Using the same procedure of capture, analyze, and load as normal, however one change being the use of the commit reference as the name of the Klocwork baseline build. This is used later as a reference in the differential analysis.
5. Klocwork Differential Analysis
With the integration analysis performed and at least one baseline available in the project, it is now possible to analyze changes quickly without previous local analysis data.
Within the same yml file for the project, it is possible to also configure the Differential Analysis. This time running on everything except the master branch( i.e any developer feature branches), it is configured to run the Klocwork differential tool ‘kwciagent’. The steps taken are as follows:
- Capture build data using Klocwork’s tooling.
- Generate a text file which should contain a list of the changed files in this commit without any formatting (one file per line). Shown is an example git diff command to generate this, it requires a reference to diff against, of which we use the last baseline build name.
- Create a local workspace for Klocwork using ‘kwciagent create’.
- Run the analysis, however, it is filtered only to run on the changed files bypassing the diff list text file as an argument.
- Optionally it is possible to create an artifact of the ‘new’ issues detected if any, here a xml is created.
- Optionally it is possible to fail the CI run by checking the artifact for a threshold of issues. In this example, it fails the CI run if any new issues exist.
How GitLab SAST Looks
As feature branches are created and pull requests committed it is then possible to get an overview of the analysis runs:
On the Differential Analysis above, note that the run is marked as failed due to the introduction of new issues to the code in respect to the baseline. It’s also shown by the tick and then cross that it failed on the second stage, which in this case means that the build was successful however the testing phase failed.
On the pull request, it is now possible to view if the pipeline has been successful in the development feature branch, providing warnings against merging.
Also note that during the configuration it was configured to archive the diff results file and change list, which are downloadable from the pipeline run
GitLab SAST — The Full Cycle
With the pull request showing warnings against merging it is possible to resolve the defects and re-commit. GitLab will automatically run the differential analysis on the new commit and update the status on the pull request
Once merged into the master branch a full integration is then performed again to create the new baseline, capturing the changing made by the merge and this can be shown below
Get Started With GitLab SAST
Start optimizing your DevSecOps process with GitLab and Klocwork today.