GitLab 17.3 - Rust Security Scanning Support

Introduction

GitLab has introduced exciting new features in its 17.3 release, enhancing support for security scanning in Rust applications. This update includes the addition of Rust dependency and license scanning to help secure your Rust-based applications, further enriching GitLab's robust security offerings.

Features Overview

In this release, GitLab has also enabled Static Application Security Testing (SAST) specifically for Rust. This feature scans Rust source files (.rs files) to identify any vulnerabilities present in the code. The newly added analyzers integrate seamlessly with GitLab's vulnerability workflows, providing developers with comprehensive tools for application security.

Enabling Rust SAST Scanning

To enable Rust SAST scanning, you need to include a .gitlab-ci.yml file in your GitLab directory that specifies the configurations for SAST and dependency scanning. Here is a step-by-step process:

1. Include the GitLab Directory: Within your repository, create a .gitlab-ci.yml file.
2. Define SAST Configuration: This file needs to specify a location for the Rust SAST rule set.
3. CI/CD Components: Include components for dependency scanning that will scan your Cargo packages.

You can customize your CI/CD pipeline by overriding certain jobs within your .gitlab-ci.yml file:

• Override the semgrep_sast job to run only when .rs files are present. This step is optional but can help optimize your pipeline.
• Override the cargo generate sbom job to add artifacts and reports that populate GitLab with the vulnerabilities detected during scanning.

Merging and Reporting Vulnerabilities

When a merge request is created that introduces new vulnerabilities, GitLab will display the licenses detected by its license compliance feature as well as the vulnerabilities found by its security scanners. These scans can be configured alongside GitLab security policies to prevent insecure code or incompatible licenses from being integrated into the production branch.

The detected vulnerabilities are organized by scanner type, with detailed information provided along with suggested remediation steps. These vulnerabilities are actionable; developers can either dismiss them or create an issue for further collaboration with team members.

If a merge request is approved despite containing vulnerabilities, these issues will still be recorded in the vulnerability report. This report aggregates all vulnerabilities identified within the default branch of the repository, providing easy visibility for developers.

Software Bill of Materials (SBOM)

The dependency list, also known as Software Bill of Materials (SBOM), will be updated to reflect the project's dependencies alongside any detected vulnerabilities and licenses. This SBOM is crucial for maintaining compliance and ensuring that all components in use are secure.

In conclusion, the new Rust scanning features in GitLab 17.3 provide developers with essential tools for ensuring the security and compliance of their Rust applications, enhancing overall software integrity.

Keywords

• GitLab 17.3
• Rust security scanning
• SAST
• Dependency scanning
• Software Bill of Materials (SBOM)
• Vulnerability management
• License compliance

FAQ

Q1: What new features are available in GitLab 17.3 related to Rust?
A1: GitLab 17.3 introduces support for Rust dependency and license scanning, as well as SAST specifically for Rust files.

Q2: How do I enable Rust SAST scanning in GitLab?
A2: To enable Rust SAST scanning, you need to add a configuration to the .gitlab-ci.yml file in your project directory that specifies the Rust SAST rule set location and includes the necessary CI/CD components for dependency scanning.

Q3: What happens if vulnerabilities are detected in a merge request?
A3: If vulnerabilities are found, they will be listed in the merge request along with actionable steps for remediation or the option to dismiss them. If the merge request is merged with vulnerabilities, they will be added to the project’s vulnerability report.

Q4: How does GitLab help manage licenses?
A4: GitLab’s license compliance feature detects and reports on licenses associated with your dependencies, allowing for better management of compliance issues.

Q5: What is the Software Bill of Materials (SBOM) in relation to GitLab?
A5: The SBOM provides a list of all the project’s dependencies along with any detected vulnerabilities and their associated licenses, aiding in compliance and security auditing.