How to configure Gitlab with S4
Please follow these steps to set up S4 to scan your Gitlab repository based on Gitlab events.
- Start by retrieving an S4 Web Secret specific to your Salesforce org. Please use a browser to go to https://s4.digitsec.com and sign in.
- After logging in, find the Salesforce org you wish to scan. Click on the collapsible function menu to select Edit Org Info.
- On the Edit Org Information page, click on the Gitlab tab. When you enter here the first time, your Gitlab Secret should be visible in cleartext. Please use the clipboard icon to copy the field contents. Please leave this browser window open on this page as you will return to it in Step 12.
- Open a new browser window and log into https://gitlab.com. Find the repository to integrate with S4 and click on it.
- On the left-hand navigation bar, hover over the Settings tab to expand the sub-menu, and click on Webhooks.
- You will create a new webook for this branch that is pointed at https://s4.digitsec.com/gitlab/webhooks/<gitlab Secret>. Remember this URL (including the GitLab secret) has been copied to your clipboard from step 3, so you can paste it in the URL field below. Your webhook URL should be similar to the diagram below.
- Below the URL field, you will see a list of Triggers. The currently supported trigger is the Merge request trigger as displayed in the picture below.
- Once the trigger is selected, please checkmark Enable SSL verification and click the "Add webhook" button at the bottom of the page.
- You must now create a Personal Access Token (PAT). Please click on your profile picture in the top right of Gitlab and select Preferences
- Next, please find the Access Tokens selection on the left bar
- Please generate an access token. Enter a Name and Expiration Date that meets your needs. To work with S4, the required Scopes are api, read_repository and write_repository. Please make sure to mark the checkboxes next to each of these. Click on the Create Personal Access Token button. The page should refresh and display the PAT near the top of the page. Please select and copy it to your clipboard. You will need it in the next step.
- Return to the browser window from Step 4. You want to add your Gitlab PAT to the Salesforce Org Info Screen on S4. If you have closed the window, you can find it again by finding the org you wish S4 to scan, and activate the Function menu by clicking the ellipses in its row and click on Edit Org Info.
- Please enter your Username, Repo Name, GitLab PAT Name and your GitLab PAT. You should use the same Name that you entered in Step 11 and you can paste the PAT value from your clipboard. You can select the check box if you want S4 to create a pull request.
- To verify this is working, please take an action that will activate the trigger you selected (try changing the title of your PR for testing purpose). Once you have finished this, the scan will have already begun and S4 will post a scan started comment on your PR.
- Scans typically take between 5 and 15 minutes. Once the scan is completed, S4 will send a notification email once the scan has completed which will include a link to your S4 Findings Detail Report.
- The results from S4 will show up in the pull request comments as follows: