RapidFort GitLab CI/CD Integration
Integrate RapidFort with your GitLab CI/CD Pipeline

GitLab Runner Prerequisites

Before getting started, make a note of your RapidFort host.
  • On-Premises: IP address of your RapidFort EC2 instance
  • SaaS: api.rapidfort.com

Install the RapidFort CLI Tools

First, verify that your GitLab runner meets the minimum requirements for installing the RapidFort CLI tools.
Install the RapidFort CLI tools on the GitLab runner. For example, you can add the following code to your .gitlab-ci.yml file:
1
script:
2
- |
3
# Install the RapidFort CLI tools only if they are not already installed
4
if test -x "$(command -v rflogin)" ; then
5
# Verify HTTPS connectivity to the RapidFort host before installation
6
timeout 15 nc -vz <rapidfort_host> 443
7
# Download and install the RapidFort CLI tools
8
curl -ks https://<rapidfort_host>/cli/ | bash
9
fi
Copied!

Generate a RapidFort Access Key

Next, generate a RapidFort access key and update the GitLab runner.
The GitLab runner can now log into RapidFort with rflogin, which will use the cached credentials. This eliminates the need to specify an email address and password.
The GitLab runner can also log into RapidFort by running rflogin with an email address and password:
rflogin <email_address> <password>
We do not recommend running this within your GitLab pipeline since your password will be exposed in the GitLab logs.

GitLab Pipeline Integration

Generate Stub Images

Update your build stage with the following:
  1. 1.
    Run rflogin to log into RapidFort
  2. 2.
    Run rfstub to generate a stub image
  3. 3.
    Push the stub image to your registry
1
rfstub:
2
stage: build
3
script:
4
- |
5
# Log into RapidFort
6
rflogin
7
# Generate a stub image
8
rfstub <docker_image:tag>
9
# Push the stub image to your registry
10
docker push <docker_image:tag>-rfstub
Copied!
By default, rfstub will append -rfstub to the original image tags when generating a stub image. For example:
  • Original Image: example.com/my-repository:v1.2.3-20211020
  • Stub Image: example.com/my-repository:v1.2.3-20211020-rfstub

Test Your Stub Images

Update your test stages to run and test your stub images. This enables RapidFort to profile your containers at runtime.
Running stub images requires adding one or more Linux kernel capabilities.

AWS Fargate

Update your AWS Fargate task definition to test your stub image (<docker_image:tags>-rfstub) and add the SYS_PTRACE capability to the linuxParameters section:
1
"linuxParameters" : {
2
"capabilities" : {
3
"add" : ["SYS_PTRACE"],
4
"drop" : null
5
}
6
}
Copied!

Generate Hardened Images

Update your harden stage with the following:
  1. 1.
    Run rflogin to log into RapidFort
  2. 2.
    Run rfharden to generate a hardened image
  3. 3.
    Push the hardened image to your registry
1
rfharden:
2
stage: harden
3
script:
4
- |
5
# Log into RapidFort
6
rflogin
7
# Generate a hardened image from the stub image
8
rfharden <docker_image:tag>-rfstub
9
# Push the hardened image to your registry
10
docker push <docker_image:tag>-rfhardened
Copied!
By default, rfharden will append -rfhardened to the original image name when generating a hardened image. For example:
  • Original Image: example.com/my-repository:v1.2.3-20211020
  • Hardened Image: example.com/my-repository:v1.2.3-20211020-rfhardened

Test Your Hardened Images

Update your test stages to run tests on your hardened images prior to releasing them to production.