Cohesion can directly integrate into GitLab CI. Cohesion results are not only available as artifact files, which can be downloaded and previewed independently, but also can be displayed as part of the GitLab Merge Request screen, which is particularly useful if you want to ensure the staged changes pass certain security quality control gates before being merged into the master branch or other sensitive branches. This feature is available regardless of the GitLab License in use.

GitLab CI Configuration

The following GitLab CI template can be used as a starting point.

  - build
  - test
  - cohesion
  - deploy

  stage: build
    - ./scripts/build_application

  stage: test
    - ./scripts/test_application

  stage: cohesion
    name: "node:12-alpine"
  allow_failure: true
    - npm install --unsafe-perm=true -g @secapps/cohesion
    - ./scripts/start_application &
    - PID=$!
    - cohesion scanner --export-junit rspec.xml --wait http://localhost:8080 http://localhost:8080
    - kill $PID
      junit: rspec.xml

  stage: deploy
    - ./scripts/deploy_application

The example above setups four stages: "build", "test", "cohesion" and "deploy". Each stage is executed if the previous stage is successful. The stage "cohesion" will run if the previous two stages (build and test) are successful.

The cohesion stage installs Cohesion using the alpine NodeJS image. This is just one way to do it. You could use pre-build images or the default image offered by us as well. See the Getting Started tutorial for more information on how to install Cohesion.

Once the installation is complete, the application is started locally using the ./scripts/start_application script.

Finally, Cohesion is started. This step is particularly important as we use it to set up the configuration required to run the scanner with the desired behavior. Breaking the command-line to its individual components, we get the following configuration:

cohesion scanner \             # start cohesion with the scanner tool
--export-junit rspec.xml \     # setup the export format to junit, more on that latter
--wait http://localhost:8080 \ # wait for the application to become available before we start the test
http://localhost:8080          # setup the target

Keep in mind that you need to specify the output JUnit file in the GitLab CI artifacts section of you want results to appear as part of the Merge Request screen:

    junit: rspec.xml

Merge Requests

It is particularly important to provide feedback within the workflows developers are most used to. This is easy to achieve as long as the tool of choice generates files in the JUnit report format. Cohesion supports this format out of the box. This feature is available regardless of the GitLab License in use. In other words, you can use Cohesion with your Community Edition, as well as Gold and Ultimate editions.

GitLab Screen