Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.2.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiCNAPP Administration Guide
    26.2.0
    26.2.0

    GitLab

    GitLab

    For more information, see FortiCNAPP Code Security for GitLab Pipelines.

    The following tutorial will guide you in running FortiCNAPP Code Security scanning (SCA and IaC) in your GitLab pipelines. The template provides two scanning workflows automatically:

    • Push scanning: Runs on every push and produces a GitLab-native JSON report that populates the Security Dashboard (dependency_scanning and sast report types).

    • Merge request (MR) scanning: Runs on MR creation and update, scans both source and target branches, compares results, and posts a comment on the MR with new findings.

    Running an analysis

    In your GitLab Project’s CI/CD settings, configure the API Key, API Secret, and account name. You should add three secrets LW_ACCOUNT, LW_SUBACCOUNT (when using a subaccount) , LW_API_KEY, and LW_API_SECRET to your GitLab repository. You can also add these secrets to your GitLab organization so that they can be shared across all your repositories. For information on obtaining the value for these secrets by creating and downloading an API key, see API keys.

    On the repository's settings page, create a new access token with API scope. Add the token value to new variable named LW_GITLAB_TOKEN with Masked and hidden visibility. This token will be used to post merge request message with the new findings reported by the Code Security scans.

    To configure the variables:

    1. Navigate to Your GitLab Project.

    2. Log in to your GitLab account and go to the project where you want to configure the CI/CD variables.

    3. Go to Settings >CI/CD.

    4. Expand the Variables configuration panel.

    5. Add a new variable:

      1. Click Add variable. You will see fields to enter the Key, Value, and some additional options.

      2. Enter the Variable Details.

        1. Key: Enter the name of the variable, for example, LW_ACCOUNT, LW_API_KEY, or LW_API_SECRET.

        2. Value: Enter the value for the variable. For example, your FortiCNAPP account name, API key, or API secret.

        3. Type: By default, it is set to Environment variable. You can leave this as is.

        4. Protect variable: Enable this option if you want the variable to be available only in protected branches or tags (for example, main or master). This is useful for securing sensitive information.

        5. Masked : Enable this option to verify that the variable value is hidden in job logs. Masked variables are obscured when displayed in logs, which adds an extra layer of security.

    If you are using a self-hosted GitLab instance, you must also set the GITLAB_URL environment variable to point to your GitLab instance URL:

    GITLAB_URL=https://gitlab.yourcompany.com

    If GITLAB_URL is not set, the integration will default to using https://gitlab.com.

    To run an analysis on merge requests or pushes:

    1. Create a file named .gitlab-ci.yaml.

    2. Add the following content to the file:

      include:
  - remote: 'https://gitlab.com/lacework-security/code-security/code-security-gitlab/-/raw/main/lacework-code-security.yaml'

stages:
  - security-scan

      This provides both push_scan and merge_request_scan jobs automatically.

    Previous
    Next

    GitLab

    GitLab

    For more information, see FortiCNAPP Code Security for GitLab Pipelines.

    The following tutorial will guide you in running FortiCNAPP Code Security scanning (SCA and IaC) in your GitLab pipelines. The template provides two scanning workflows automatically:

    • Push scanning: Runs on every push and produces a GitLab-native JSON report that populates the Security Dashboard (dependency_scanning and sast report types).

    • Merge request (MR) scanning: Runs on MR creation and update, scans both source and target branches, compares results, and posts a comment on the MR with new findings.

    Running an analysis

    In your GitLab Project’s CI/CD settings, configure the API Key, API Secret, and account name. You should add three secrets LW_ACCOUNT, LW_SUBACCOUNT (when using a subaccount) , LW_API_KEY, and LW_API_SECRET to your GitLab repository. You can also add these secrets to your GitLab organization so that they can be shared across all your repositories. For information on obtaining the value for these secrets by creating and downloading an API key, see API keys.

    On the repository's settings page, create a new access token with API scope. Add the token value to new variable named LW_GITLAB_TOKEN with Masked and hidden visibility. This token will be used to post merge request message with the new findings reported by the Code Security scans.

    To configure the variables:

    1. Navigate to Your GitLab Project.

    2. Log in to your GitLab account and go to the project where you want to configure the CI/CD variables.

    3. Go to Settings >CI/CD.

    4. Expand the Variables configuration panel.

    5. Add a new variable:

      1. Click Add variable. You will see fields to enter the Key, Value, and some additional options.

      2. Enter the Variable Details.

        1. Key: Enter the name of the variable, for example, LW_ACCOUNT, LW_API_KEY, or LW_API_SECRET.

        2. Value: Enter the value for the variable. For example, your FortiCNAPP account name, API key, or API secret.

        3. Type: By default, it is set to Environment variable. You can leave this as is.

        4. Protect variable: Enable this option if you want the variable to be available only in protected branches or tags (for example, main or master). This is useful for securing sensitive information.

        5. Masked : Enable this option to verify that the variable value is hidden in job logs. Masked variables are obscured when displayed in logs, which adds an extra layer of security.

    If you are using a self-hosted GitLab instance, you must also set the GITLAB_URL environment variable to point to your GitLab instance URL:

    GITLAB_URL=https://gitlab.yourcompany.com

    If GITLAB_URL is not set, the integration will default to using https://gitlab.com.

    To run an analysis on merge requests or pushes:

    1. Create a file named .gitlab-ci.yaml.

    2. Add the following content to the file:

      include:
  - remote: 'https://gitlab.com/lacework-security/code-security/code-security-gitlab/-/raw/main/lacework-code-security.yaml'

stages:
  - security-scan

      This provides both push_scan and merge_request_scan jobs automatically.

    Previous
    Next