RapidFort GitLab CI/CD Integration

Integrate RapidFort with your GitLab CI/CD Pipeline

GitLab Runner Prerequisites
Before getting started, make a note of your RapidFort host.
On-Premises: IP address of your RapidFort EC2 instance
SaaS: api.rapidfort.com
Install the RapidFort CLI Tools
First, verify that your GitLab runner meets the minimum requirements for installing the RapidFort CLI tools.
RapidFort Command Line Interface Tools
Install the RapidFort CLI tools on the GitLab runner. For example, you can add the following code to your .gitlab-ci.yml file:
script:
    - |
      # Install the RapidFort CLI tools only if they are not already installed
      if test -x "$(command -v rflogin)" ; then
          # Verify HTTPS connectivity to the RapidFort host before installation
          timeout 15 nc -vz <rapidfort_host> 443
          # Download and install the RapidFort CLI tools
          curl -ks https://<rapidfort_host>/cli/ | bash
      fi
Generate a RapidFort Access Key
Next, generate a RapidFort access key and update the GitLab runner.
RapidFort Service Accounts
The GitLab runner can now log into RapidFort with rflogin, which will use the cached credentials. This eliminates the need to specify an email address and password.
The GitLab runner can also log into RapidFort by running rflogin with an email address and password:
rflogin <email_address> <password>
We do not recommend running this within your GitLab pipeline since your password will be exposed in the GitLab logs.
GitLab Pipeline Integration
Generate Stub Images
Update your build stage with the following:
1.Run rflogin to log into RapidFort
2.Run rfstub to generate a stub image
3.Push the stub image to your registry
rfstub:
  stage: build
  script:
    - |
      # Log into RapidFort
      rflogin
      # Generate a stub image
      rfstub <docker_image:tag>
      # Push the stub image to your registry
      docker push <docker_image:tag>-rfstub
By default, rfstub will append -rfstub to the original image tags when generating a stub image. For example:
Original Image: example.com/my-repository:v1.2.3-20211020
Stub Image: example.com/my-repository:v1.2.3-20211020-rfstub
Test Your Stub Images
Update your test stages to run and test your stub images. This enables RapidFort to profile your containers at runtime.
Running stub images requires adding one or more Linux kernel capabilities.
AWS Fargate
Update your AWS Fargate task definition to test your stub image (<docker_image:tags>-rfstub) and add the SYS_PTRACE capability to the linuxParameters section:
"linuxParameters" : {
    "capabilities" : {
        "add" : ["SYS_PTRACE"],
        "drop" : null
    }
}
Generate Hardened Images
Update your harden stage with the following:
1.Run rflogin to log into RapidFort
2.Run rfharden to generate a hardened image
3.Push the hardened image to your registry
rfharden:
  stage: harden
  script:
    - |
      # Log into RapidFort
      rflogin
      # Generate a hardened image from the stub image
      rfharden <docker_image:tag>-rfstub
      # Push the hardened image to your registry
      docker push <docker_image:tag>-rfhardened
By default, rfharden will append -rfhardened to the original image name when generating a hardened image. For example:
Original Image: example.com/my-repository:v1.2.3-20211020
Hardened Image: example.com/my-repository:v1.2.3-20211020-rfhardened
Test Your Hardened Images
Update your test stages to run tests on your hardened images prior to releasing them to production.

How To Guides - Previous

Get a RapidFort License

Next - How To Guides

Using RapidFort with Helm Charts

Last modified 1yr ago