Configure Self-Managed GitLab For On-Prem Scanning

Owned by John Gerlock
Last updated: Jul 24, 2024
3 min read

This page will guide you through the how to configure your GitLab Self-Managed instance to use Data Theorem’s SAST scanning without sharing your code with Data Theorem. It will create AWS resources to run a container-based SAST scanner provided by Data Theorem. The SAST scan results will be visible in the Data Theorem portal

Please reach out to support@datatheorem.com if you need help!

Installation

Requirements

  • The GitLab installation must be exposed to the internet

  • The user following these instructions must have administrator permissions to the GitLab instance

  • AWS Account with Admin Access

 

Step 1: Create A Data Theorem App In GitLab

Start with creating the GitLab application for the Data Theorem integration:

  • Log into the GitLab instance

  • Open “Applications” in the Admin Area

  • Create a new instance-wide application with the following settings

    • Name: Data Theorem SAST

    • Redirect URI: https://www.securetheorem.com/gitlab-integration/onboarding

    • Trusted: checked

    • Confidential: checked

    • Scopes: api and read_repository

We will update the “Redirect URI” value to the the URI of our AWS Lambda handler in a later step. We use this value a secure placeholder, but OAuth redirects will not be sent to this URI.

  • Clicking “Save application”

  • Securely make a note of the Application ID, Secret, and instance URL (from the address bar of your browser). You will need to enter these values in the next step

Screenshot 2024-07-24 at 15.01.12.png

 

 

Screenshot 2024-07-24 at 15.02.09.png

 

Step 2: Create AWS Resources

Open the AWS CloudFormation Quick Create Link you received from Data Theorem, and sign in the AWS account where you want the SAST scanning resources to be created.

Fill in the following template parameters:

  • GitLabInstanceUrl: Enter the URL of your GitLab instance

  • GitLabAppClientId: Enter”Application ID” from Step 1

  • GitLabAppClientSecret: Enter the “Secret” from Step 1

 

Step 3: Configuring The GitLab System Hook

The system hook will notify the GitLab integration of changes to any of the repositories present in the GitLab integration.

Configuration steps:

  • Log into the GitLab instance

  • Navigate to “System Hooks” in the Admin Area

  • Create a new system hook with the following settings:

    • URL: Copy/Paste the CloudFormation Stack Output named GitLabSystemHookUrl

    • Secret Token: Copy/Paste the CloudFormation Stack Output named GitLabSystemHookSecret

    • Trigger:

      • Check “Repository update events”

      • Check “Merge request events”

    • Check “SSL verification”

 

 

Step 4: Update The GitLab App OAuth Redirect URI

  • Open “Applications” in the Admin Area

  • Edit the Data Theorem SAST application and update the Redirect URI setting

    • Redirect URI: Copy/Paste the CloudFormation Stack Output named GitLabOAuthRedirectUri