Welcome #
GitLab Tanuki Shop is a GitLab branded version of the OWASP Juice Shop, which is stated to probably be the most modern and sophisticated insecure web application! This Project will help you gain a better understanding of how to successfully use GitLab to shift security left to find and fix security flaws during development and do so more easily, with greater visibility and control than typical approaches can provide.
This application is brought to you by GitLab Developer Relations.
Prerequisites #
In order to get started with this tutorial on GitLab DevSecOps, you will need the following:
Knowledge
- Basic knowledge of CI/CD concepts
- Basic knowledge of Kubernetes
Software/Tools
- GitLab Ultimate Subscription: Free trial available
- Kubernetes Cluster (GKE): I use GKE, but other providers should work
- Kubectl
- Helm
Lessons #
| # | Title | Description |
|---|---|---|
| 1 | Configuring the Demo Application | Setup and deploy the demo application to a kubernetes cluster |
| 2 | Setting up Security Scanners and Policies | Configure GitLab’s built-in security scanners and guardrails |
| 3 | Developer Security Workflows | Go over common developer workflows involving security |
| 4 | Overseeing Security Posture | View vulnerabilities metrics, software bill of material (SBOM), and triage vulnerabilities |
| 5 | GitLab Duo AI Security Features | Use GitLab Duo AI features to explain and auto-resolve vulnerabilities |
Learning Outcomes #
After completing the up lessons, you will be able to:
- Set up comprehensive security scanning without adding a bunch of new tools and processes
- Use a single-source-of-truth to improve collaboration between developers and appsec teams
- Manage all of your application vulnerabilities in one place
- Enable separation of duties and adhere to compliance
- Prevent insecure code from making it into production
- Use AI to learn how to exploit and remediate vulnerabilities