New CIS GitLab Benchmark scanner boosts security and compliance

3 weeks ago 2
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

GitLab's CIS Benchmark scanner, gitlabcis, is open source and available. The Python CLI tool audits a GitLab project against the Center for Internet Security (CIS) GitLab Benchmark, and delivers recommendations as code formatted in YAML.

In April, we introduced the CIS GitLab Benchmark to improve security and offer hardening recommendations to GitLab's customers. The benchmark is available for download from the CIS website.

In this article, you'll learn:

How to install and use the gitlabcis scanner

You can download and install the scanner using pip via pypi, or download the source code from our releases page.

pip install gitlabcis

The scanner takes one positional argument (URL) and then options. The format is: gitlabcis URL OPTIONS

# example: generate a json report gitlabcis \ https://gitlab.example.com/path/to/project \ -o results.json \ -f json

The full command line options can be found in the documentation.

GitLab CIS Benchmark scanner

gitlabcis scanner details

The team extracted all of the recommendation controls from the CIS GitLab Benchmark and created them in YAML to be used as controls as code.

Each control has its own dedicated function to enhance readability. This also allows an individual to observe how the control performs its audit.

Additionally, certain control functions have limitations. We have identified each of these, which can be found in our limitations document.

Currently, the tool only accepts a project URL input. It then only observes configuration at a project level. It does however support administrative controls.

  • For example, the 1.1.2 - Code Tracing control attempts to audit "... any change to code can be traced back to its associated task".
    • This can be achieved with crosslinking issues in merge requests.
    • Merge requests can be found at a project level, group level, or event instance level.
    • The scanner currently only checks at the project level.
  • See our roadmap, which aims to address this functionality gap.

Contribute to the gitlabcis scanner project.

GitLab scanner and product roadmap

The creation of the scanner allowed us to contribute two features back into the product with the help of the community.

We want to augment the scanner to be able to accept instances or groups as input. For example, if you host GitLab at: gitlab.example.com, this could be used as an input to check at the instance level if you are compliant against the CIS GitLab Benchmark and the same for groups.

Additionally, certain controls can be set at the instance or group level and trickle down to the project level. There is work ongoing to include this functionality into the scanner. Check out the epic for more information

One important aspect is incorporating this functionality into the GitLab product itself. The GitLab compliance team is working on incorporating the CIS GitLab Benchmark and other standards into the Compliance Adherence Report. This will allow customers real-time reviews of instances, groups, and projects across a wide set of standards, not just CIS.

Learn more about the CIS GitLab Benchmark in our public project.

Read Entire Article