GitLab Issues
Integrating Invicti Platform with GitLab Issues streamlines your vulnerability management by automatically creating and tracking security issues within your GitLab projects. This integration enables seamless collaboration between development and security teams, ensuring vulnerabilities are identified, assigned, and resolved efficiently.
This document walks you through the steps required to connect Invicti with GitLab, configure issue tracking, and automate vulnerability reporting.
Prerequisites
Before integrating Invicti with GitLab, ensure you have completed the following prerequisites:
- Active GitLab Account: You must have an active GitLab account.
- Project Setup: Create a project that houses the source code for your target web application.
- Personal Access Token: Generate a Personal Access Token to securely establish communication between Invicti and your GitLab repository.
- API Access Verification: Confirm that your GitLab system allows incoming API requests from online.acunetix.com or app.invicti.com (for EU-based customers: app-eu.invicti.com).
Integrating Invicti Platform with GitLab is a four-step process:
- Create an Access Token
- Create GitLab labels
- Configure Invicti
- Configure a Target to report issues to your issue tracker
- Submit vulnerabilities to GitLab
Step 1: Create an access token
- From your GitLab profile dropdown, click Preferences.
- Navigate to the Access tokens option within the User settings menu.
- Click Add new token.
- On the Personal Access Tokens page:
- In the Name field, enter Invicti Integration for identification purposes.
- Set the Expiration date according to your requirements.
- In the Scopes section, select api.
- Scroll to the bottom of the page and click Create personal access token.
- Ensure you keep a copy of the token as it cannot be retrieved after leaving the page. Losing the token will necessitate creating a new one and repeating the process.
Step 2: Create GitLab labels
- Open the GitLab project where the discovered issues are going to be sent.
- Select Manage > Labels from the left-side menu.
- Use the New label button to create new labels. These will be used during Invicti configuration.
- Refer to the screenshot below for an example of GitLab labels.
Step 3: Configure Invicti
- In Invicti, select Integrations from the left-side menu.
- Switch to the All integrations tab.
- Scroll down to the Issues trackers and select Configure in the GitLab issues tile.
- In the Configure and authorize section
- Enter a name for your integration. For this example, we have used GitLab and Invicti integration.
- Fill in the GitLab base URL.
- In the Authentication type, enter your Account Email and the Personal Access Token you generated in Step 1.
- Click Validate account, which loads your projects and issue types.
- In the Project mappings section, provide the following details:
- Project: The GitLab project where the discovered vulnerabilities will be sent.
- Issue type: The issue type to be assigned to all reported vulnerabilities.
- Issue title formatting: Choose the format for the issue title.
- Included details: Use the drop-down menu to select the information to include in the issue details.
- Optionally, select Yes to include a link to the report and attach a PDF report.
- Click Next.
- In the Issue mappings section, assign Field values and Field mappings.
- Field values: Here, you decide whether the issue is to be marked as confidential, who the assignee will be, and what the due date should be. The due date is calculated from the date the vulnerability is reported. You can also assign any GitLab labels.
- Field mappings: Map Invicti Vulnerability Severities to GitLab Issues Labels.
- Click Create sample issue to test the configuration. A green Success message appears at the top of the page.
- The vulnerability is now created in the specified GitLab project.
- In Invicti, click Save and finish to complete the GitLab integration.
Step 4: Submit vulnerabilities to Gitlab
After identifying vulnerabilities, you can forward them to the designated issue tracker. There are two ways to do this:
- Manually, through the Vulnerabilities page
- Automatically, using Automations
The process is consistent across all supported issue trackers. For detailed instructions, refer to the linked documents above.