Running Fixinator on GitLab - foundeo/fixinator GitHub Wiki

Want to Scan your CFML / ColdFusion code for security vulnerabilities with GitLab? Great, here's how:

  1. Go to your project page in GitLab
  2. Go to Settings and click on CI / CD then click Expand on Environment Variables. Add your FIXINATOR_API_KEY value and turn on Protected (this prevents the key from being logged in the output). You can get an API key here.
  3. Click the Set up CI/CD button (this is really just a shortcut for creating a file called .gitlab-ci.yml)
  4. Create the Build Script (see Example Build Script)

Example Build Script

image: openjdk:11

before_script:
  - curl --location -o /tmp/box.zip https://www.ortussolutions.com/parent/download/commandbox/type/bin
  - unzip /tmp/box.zip -d /tmp/
  - chmod a+x /tmp/box
  - /tmp/box install fixinator

fixinator: 
  script:
    - /tmp/box fixinator path=. confidence=high

Integrating with GitLab Static Application Security Testing (SAST)

You can configure fixinator in your GitLab pipeline to output results in the SAST format, which GitLab understands as a security vulnerability. Here's an example:

GitLab SAST example

To accomplish this we tell fixinator to write a report file which GitLab will pickup and process for us, here is an example pipeline:

image: openjdk:11

before_script:
  - curl --location -o /tmp/box.zip https://www.ortussolutions.com/parent/download/commandbox/type/bin
  - unzip /tmp/box.zip -d ~/
  - chmod a+x ~/box
  - ~/box install fixinator

fixinator: 
  script:
    - ~/box fixinator path=. confidence=low severity=low resultFormat=sast resultFile=fixinator-sast-report.json failOnIssues=false
  artifacts:
    paths:
      - fixinator-sast-report.json 
    reports:
      sast: fixinator-sast-report.json

Here is an example GitLab repository job result.

Note: For SAST reports to show up on your GitLab Dashboard you must be on the GitLab Ultimate Plan. It also works on Public Projects (but you wouldn't want to set your project to public, unless it is open source). If you don't want to upgrade, you should be able to get the Fixinator results to show up in the tests tab by using JUnit, let us know if you'd like us to create an example for that.

Using a Windows Runner

If you are using a windows GitLab CI runner, you can rewrite the before_script section to use powershell to download box.exe and install the fixinator client like this:

Invoke-WebRequest -PassThru -Uri https://www.ortussolutions.com/parent/download/commandbox/type/windows-jre64 -OutFile ~/box.zip
Expand-Archive -Path ~/box.zip -DestinationPath ~/
~/box install fixinator