GitLab Security Scan Workflow

This workflow runs all phases of security scanning using the unified hashsecured_scan template. Each phase is independent and targets a specific stage of your application lifecycle.

Pre-phase: Static Application Security Testing (SAST)

Analyzes source code for vulnerabilities, hardcoded secrets, and compliance issues before build/deployment.


stages:
  - security_scan
 
include:
  - project: 'clockhash-kiran/security-templates'
    file: '/hashsecured_scan.yml'
 
pre_phase_scan:
  extends: .hashsecured_scan
  variables:
    PHASE: "pre"
    TARGET_URL: "gitlab.com/your-org/your-repo-name"
    USER_ID: "YOUR_USER_ID"
    PROJECT_ID: "YOUR_PROJECT_ID"
    API_TOKEN: "$HASHSECURED_API_TOKEN"
    BRANCH: "master" #Optional
    BREAK: "true"  #Optional
    TOOLS: "semgrep,gitleaks" #Optional

Mid-phase: Container Scan

Scans container images for vulnerabilities before deployment.


mid_phase_scan:
  extends: .hashsecured_scan
  variables:
    PHASE: "mid"
    TARGET_URL: "nginx:latest"
    USER_ID: "YOUR_USER_ID"
    PROJECT_ID: "YOUR_PROJECT_ID"
    API_TOKEN: "$HASHSECURED_API_TOKEN"

Post-phase: Deployment Scan

Performs security checks against live deployments.


post_phase_scan:
  extends: .hashsecured_scan
  variables:
    PHASE: "post"
    TARGET_URL: "https://example.com"
    USER_ID: "YOUR_USER_ID"
    PROJECT_ID: "YOUR_PROJECT_ID"
    API_TOKEN: "$HASHSECURED_API_TOKEN"

Optional Parameters

Parameter	Type	Phase	Description	Default
`break`	`true`/`false`	All	Fail the pipeline if HIGH/CRITICAL vulnerabilities are found	`true`
`tools`	`string` (comma-separated)	All	Override default tools for the phase	Uses default tools for phase
`branch`	`string`	Pre-phase	Branch to scan for SAST	`main`
`pat`	`string`	Pre-phase	Personal Access Token for private repos	None