Setting Up CI/CD for CloudDefense CLI in GitLab

1. Overview

CloudDefense CLI can be integrated into your GitLab pipeline to automatically scan code for vulnerabilities during merges, commits, or scheduled scans. This ensures stronger security practices and early detection of issues.

2. Prerequisites

Before you begin, ensure you have the following:

• A GitLab repository with CI/CD enabled
• A GitLab Runner (shared or self-hosted)
• CloudDefense API Key (store securely in GitLab Variables)
• Basic knowledge of GitLab .gitlab-ci.yml
  
  

3. Configure GitLab CI/CD Variables

To securely store your CloudDefense API key:

1. Navigate to your GitLab project.
2. Go to Settings → CI/CD → Variables.
3. Click Add Variable.
4. Set the following values:

This variable will be used by your CI job without exposing it publicly.

4. Register or Use GitLab Runners

You may use either:

• GitLab's shared runners, or
• A self-hosted runner with custom tags (recommended for security scans)

For a self-hosted runner:

sudo gitlab-runner register

Provide the following information when prompted:

• GitLab URL
• Registration token (found in Settings → CI/CD → Runners)
• Tags (e.g., cloud-defense)
• Executor (shell or docker)
• Description (optional)

5. Create .gitlab-ci.yml

Create or edit the file at the root of your repository:

.gitlab-ci.yml

Use the following CloudDefense integration template:

stages:
  - security_scan

variables:
  REPO_URL: "$CI_PROJECT_URL"
  SCAN_URL: "https://console.clouddefenseai.com"

security_scan:
  stage: security_scan
  image: ubuntu:22.04
  before_script:
    - apt-get update -y
    - apt-get install -y curl tar
  script:
    - echo "Downloading cdefense CLI"
    - curl -L -o /tmp/cd-latest-linux-x64.tar.gz "https://github.com/CloudDefenseAI/cd/releases/latest/download/cd-latest-linux-x64.tar.gz"
    - tar -C /usr/local/bin -xzf /tmp/cd-latest-linux-x64.tar.gz
    - chmod +x /usr/local/bin/cd-latest-linux-x64
    - echo "Running Cloud Defense scan"
    - BRANCH_NAME="${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME:-$CI_COMMIT_REF_NAME}"
    - echo "Detected branch $BRANCH_NAME"
    - cd-latest-linux-x64 online --api-key "$CDKEY" --repository-url "$CI_PROJECT_PATH" --type=GITLAB --branch-name="$BRANCH_NAME"
  rules:
    - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "main"'

6. How Scanning Works

During each pipeline run:

1. The CI pulls the repository code.
2. CloudDefense CLI is downloaded and extracted.
3. The CLI scan is executed using the API Key from GitLab variables and the repository name from GitLab environment variables.
4. Results are printed in job logs.

Note: If CloudDefense returns an error exit code, the pipeline will fail—ensuring vulnerabilities cannot be merged unintentionally.

7. Summary

You have successfully configured:

• GitLab variables for secret handling
• GitLab runner setup
• A .gitlab-ci.yml file for CloudDefense scanning
• Automated pipeline security scanning for every code change

This ensures secure development practices and early detection of vulnerabilities.