Linux Formation - DAST et container scanning

DAST (Dynamic Application Security Testing)

DAST teste l'application deployee en simulant des attaques :

include:
  - template: Security/DAST.gitlab-ci.yml

variables:
  DAST_WEBSITE: "https://staging.example.com"
  DAST_FULL_SCAN_ENABLED: "true"
  DAST_BROWSER_SCAN: "true"

# DAST avec authentification
dast:
  variables:
    DAST_AUTH_URL: "https://staging.example.com/login"
    DAST_USERNAME: "test_user"
    DAST_PASSWORD_FIELD: "password"
    DAST_USERNAME_FIELD: "username"

Container Scanning

include:
  - template: Security/Container-Scanning.gitlab-ci.yml

variables:
  CS_IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
  CS_SEVERITY_THRESHOLD: "CRITICAL"

Security Dashboard

Le Security Dashboard centralise toutes les vulnerabilites :

Vue par projet et par groupe
Filtrage par severite (Critical, High, Medium, Low)
Statut des vulnerabilites (Detected, Confirmed, Dismissed, Resolved)
Suivi dans les merge requests

Policies de securite

# .gitlab/security-policies/policy.yml
---
scan_execution_policy:
  - name: Enforce SAST and Secret Detection
    enabled: true
    rules:
      - type: pipeline
        branches:
          - main
          - develop
    actions:
      - scan: sast
      - scan: secret_detection
      - scan: dependency_scanning

Important : Configurez des policies de securite pour imposer les scans sur les branches critiques, meme si les developpeurs ne les incluent pas dans leur .gitlab-ci.yml.