Security Component

The security component provides standardized security scanning and compliance checks for your GitLab CI / CD pipelines.

Usage

Include the security component in your .gitlab - ci.yml:

include:
  - component: [COMPONENT_REGISTRY] / [email protected]
    inputs:
      scan_type: 'sast'
      target_dirs: 'src'
```text

## Configuration

### Required Inputs
| Input       | Description           | Default |
| ----------- | --------------------- | ------- |
| `scan_type`| Type of security scan | None    |

### Optional Inputs
| Input                | Description                        | Default |
| -------------------- | ---------------------------------- | ------- |
|`target_dirs`| Directories to scan                |`src`|
|`severity_threshold`| Minimum severity to report         |`low`|
|`fail_on_severity`| Severity level that causes failure |`high`|
|`scan_timeout`| Scan timeout in seconds            |`1800`|
|`exclude_patterns`| Patterns to exclude                | None    |
|`report_format`| Format for scan reports            |`json`|

## Scan Types

### SAST (Static Application Security Testing)

```yaml
security - sast:
  extends: .security
  variables:
    SCAN_TYPE: 'sast'
    TARGET_DIRS: 'src'
    SEVERITY_THRESHOLD: 'low'
```text

### Dependency Scanning

```yaml
security - deps:
  extends: .security
  variables:
    SCAN_TYPE: 'dependency'
    TARGET_DIRS: '.'
    FAIL_ON_SEVERITY: 'critical'
```text

### Container Scanning

```yaml
security - container:
  extends: .security
  variables:
    SCAN_TYPE: 'container'
    TARGET_IMAGE: 'registry.example.com/project:[CI_COMMIT_SHA]'
```text

### Secret Detection

```yaml
security - secrets:
  extends: .security
  variables:
    SCAN_TYPE: 'secret'
    EXCLUDE_PATTERNS: ' * .test.js, *.spec.js'
```text

## Reports
Security reports are automatically generated:

```yaml
artifacts:
  reports:
    security: gl - security - report.json
    dependency: gl - dependency - scanning - report.json
    container: gl - container - scanning - report.json
    sast: gl - sast - report.json
```text

## Environment Variables

### Available Variables
| Variable        | Description             |
| --------------- | ----------------------- |
| `GITLAB_TOKEN`| GitLab API token        |
|`SCAN_REGISTRY`| Security tools registry |
|`REPORT_PATH`| Path for report output  |
|`SCAN_RULES`| Custom scanning rules   |

### Custom Variables
You can set custom environment variables:

```yaml
variables:
  MY_SECURITY_VAR: 'value'
```text

## Best Practices
1. Scan Configuration

   - Set appropriate thresholds
   - Configure exclusions
   - Use multiple scan types

2. Report Management

   - Review reports regularly
   - Track security trends
   - Document false positives

3. Security Policies

   - Define security standards
   - Implement compliance checks
   - Maintain audit logs

## Compliance

### Standards Support
- OWASP Top 10
- CWE / SANS Top 25
- PCI DSS
- HIPAA
- SOC 2

### Compliance Reporting

```yaml
security - compliance:
  extends: .security
  variables:
    SCAN_TYPE: 'compliance'
    COMPLIANCE_STANDARD: 'pci - dss'
```text

## Troubleshooting

### Common Issues
1. Scan Failures

   - Check scan logs
   - Verify tool versions
   - Review configurations

2. False Positives

   - Document exceptions
   - Update exclusions
   - Tune thresholds

3. Performance Issues

   - Optimize scan scope
   - Adjust timeouts
   - Use caching

## Support
Need help? Check our [Support Guide](.. / guide / support.md) or [create an issue](https://gitlab.bluefly.io / bluefly / internal - projects / llm / bfcicomponents/ - /issues).