An automated tool that assesses the GitLab CIS benchmarks against a project.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for gitlabcis from gravatar.com gitlabcis Avatar for nmcd-gitlab from gravatar.com nmcd-gitlab

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT License)
  • Author: Nate Rosandich
  • Tags GitLab Benchmarks , CIS Benchmarks , GitLab Hardening , GitLab Recommendations , GitLabcis , GitLab CIS Benchmarks , gitlabcis , GitLab , CIS , Benchmark Scanner , GitLab CIS Benchmark scanner , GitLab CIS
  • Requires: Python >=3.10
  • Provides-Extra: build , test
Classifiers
Report project as malware

Project description

CIS GitLab Benchmark Scanner - gitlabcis

Background

On April 17th 2024, GitLab™ published a blog post introducing its Center for Internet Security® (CIS) GitLab Benchmark. With the goal to improve the security of the product and offer hardening recommendations to GitLab's customers. You can download a copy of the benchmarks which are published on the Center for Internet Security® website.

"The CIS GitLab Benchmark stemmed from a collaboration between CIS and GitLab's Field Security and Product Management teams. After numerous conversations with customers, we understood the need for a specific benchmark that would guide their hardening efforts. We conducted an in-depth review of GitLab’s product and documentation to understand how our offering mapped to CIS's Software Supply Chain Security Benchmark. After the initial draft was ready, it entered into the CIS consensus process, where the broader CIS Benchmark Community was able to review it and suggest edits prior to publication."

Ref: Creating the CIS GitLab Benchmark

Overview

gitlabcis is a Python® package which audits a GitLab project against the Center for Internet Security® (CIS) GitLab Benchmark. It includes recommendations-as-code formatted in YAML™.

GitLab Product Enhancement

Compliance Adherence Report

There is a larger effort to add the CIS Benchmark as a compliance standard to the Compliance Adherence Report.

  • Once implemented, this will enable customers to automatically have visibility into whether there are additional measures they need to take in order to comply with the measures recommended in the CIS Benchmark.

Contributing back to GitLab

Through the course of developing this tool, the authors contributed 2 features to the GitLab product (#39):

Table of Contents

[[TOC]]

Disclaimers

Disclaimer Comment
This tool assumes that one is using GitLab for everything
  • For example, the first recommendation (1.1.1 - version_control):
    • "Ensure any changes to code are tracked in a version control platform."
  • Using GitLab automatically passes this control.
This tool cannot audit every recommendation
  • We have kept a record of every recommendation that we cannot automate. Review our limitations doc (docs/limitations.md), which highlights automation gaps in which a condition cannot confidently be automated.
This tool does not execute any write operations on your GitLab instance, group or project. No write actions are performed.
  • This tool is expressly designed to refrain from performing any write operations that may:
    • modify, alter, change, or otherwise impact the configuration, data, or integrity of your GitLab project
  • ensuring that no alterations or unauthorized adjustments are made to its state or contents.
This is not an official GitLab product
  • This repository was created by GitLab engineers and is not officially supported by GitLab.

Getting started

Tokens

gitlabcis requires one of the following tokens:

Personal Access Token (PAT)

You can either pass the token as an option or store it as an environment variable:

  • GITLAB_TOKEN - (optional) Environment Variable
  • --token / -t - (optional) gitlabcis token option
OAuth Token

You can either pass the token as an option or store it as an environment variable:

  • GITLAB_OAUTH_TOKEN - (optional) Environment Variable
  • --oauth-token / -ot - (optional) gitlabcis token option
Token Scope
  • Required: Your token needs to have at least the read_api scope.
  • (optional) Providing your token more scope will unlock more controls that require higher levels of permission.

Install

There's a number of ways to download the scanner. Please see them below:

Pypi

Install gitlabcis from pypi.org:

pip install gitlabcis
GitLab

Install gitlabcis from the package registry:

pip install gitlabcis --index-url https://gitlab.com/api/v4/projects/57279821/packages/pypi/simple

If you haven't already done so, you will need to add the below to your .pypirc file.

[gitlab]
repository = https://gitlab.com/api/v4/projects/57279821/packages/pypi
username = __token__
password = <your personal access token>

Install gitlabcis from source via clone, or our releases page

# make a clone (or create a local fork) of the repo
git clone git@gitlab.com:gitlab-security-oss/cis/gitlabcis.git
cd gitlabcis
make install

Usage

The following syntax is expected:

gitlabcis URL OPTIONS

Screenshot

results

Generate a report

To generate a report from the shell:

gitlabcis https://gitlab.example.com/path/to/project --token $TOKEN

Generate a json report: (Using the $GITLAB_TOKEN variable, you do not need to specify --token option)

gitlabcis \
    https://gitlab.example.com/path/to/project \
    -o results.json \
    -f json

To execute a single control:

gitlabcis \
    https://gitlab.example.com/path/to/project \
    -ids 1.2.3 # or multiple: 2.3.4 3.4.5 etc

Scan all sub-groups and projects under an instance or group (1 level deep by default):

gitlabcis https://gitlab.example.com/path-to-group --nest

Scan all sub-groups and projects up to 2 levels deep, writing per-entity JSON files to ./results/:

gitlabcis \
    https://gitlab.example.com/path-to-group \
    --nest \
    --depth 2 \
    --output-dir results \
    -f json

Scan with unlimited depth and a filename prefix:

gitlabcis \
    https://gitlab.example.com/path-to-group \
    --nest \
    --depth 0 \
    --prefix "audit_" \
    --output-dir results \
    -f json

Documentation

Review the gitlabcis documentation (./docs) directory - Something missing? Feel free to create contribute with a new issue.

License

gitlabcis was published using the MIT license, it can be reviewed in the ./LICENSE file.

Changelog

See the ./CHANGELOG.md for more information.

Developers

Code of Conduct

Review the heading section of contributing doc (CONTRIBUTING.md) for the code of conduct.

Security

Review our security policy (docs/SECURITY.md) document which outlines how to disclose a vulnerability.

Contributing

Do you want to contribute? - Fantastic! Check out the contributing doc (CONTRIBUTING.md) for more information.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for gitlabcis from gravatar.com gitlabcis Avatar for nmcd-gitlab from gravatar.com nmcd-gitlab

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT License)
  • Author: Nate Rosandich
  • Tags GitLab Benchmarks , CIS Benchmarks , GitLab Hardening , GitLab Recommendations , GitLabcis , GitLab CIS Benchmarks , gitlabcis , GitLab , CIS , Benchmark Scanner , GitLab CIS Benchmark scanner , GitLab CIS
  • Requires: Python >=3.10
  • Provides-Extra: build , test
Classifiers

Release history Release notifications | RSS feed

This version

1.20.0

1.19.3

1.19.2

1.19.1

1.19.0

1.18.0

1.17.1

1.17.0

1.16.0

1.15.22

1.15.21

1.15.20

1.15.19

1.15.18

1.15.17

1.15.16

1.15.15

1.15.14

1.15.13

1.15.12

1.15.11

1.15.10

1.15.9

1.15.8

1.15.7

1.15.6

1.15.5

1.15.4

1.15.3

1.15.2

1.15.1

1.15.0

1.14.0

1.13.2

1.13.1

1.13.0

1.12.0

1.11.3

1.11.2

1.11.1

1.11.0

1.10.0

1.9.2

1.9.1

1.9.0

1.8.1

1.8.0

1.7.0

1.6.1

1.6.0

1.5.1

1.5.0

1.4.1

1.4.0

1.3.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

gitlabcis-1.20.0.tar.gz (566.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

gitlabcis-1.20.0-py3-none-any.whl (271.5 kB view details)

Uploaded Python 3

File details

Details for the file gitlabcis-1.20.0.tar.gz.

File metadata

  • Download URL: gitlabcis-1.20.0.tar.gz
  • Upload date:
  • Size: 566.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.12.13

File hashes

Hashes for gitlabcis-1.20.0.tar.gz
Algorithm Hash digest
SHA256 3bf458453688ff121927dc93628889d5686381b2ee811d92a717f17337a973e4
MD5 77a30568efad3752f5d6ac3878868a10
BLAKE2b-256 a5a52424ee2549d77fcebf8e6f7a0c0c4bf6ac1a35d31bb51cdda04945bb296c

See more details on using hashes here.

File details

Details for the file gitlabcis-1.20.0-py3-none-any.whl.

File metadata

  • Download URL: gitlabcis-1.20.0-py3-none-any.whl
  • Upload date:
  • Size: 271.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.12.13

File hashes

Hashes for gitlabcis-1.20.0-py3-none-any.whl
Algorithm Hash digest
SHA256 81b6b502744fdccd3a1f81689eb309cbfed441bd452d4c6731429e637b04fd25
MD5 5afc1ed6b1e4fdb8391212d91fed1642
BLAKE2b-256 c3b2cc05ecc1b22bfc4019cfa4dd051baaba3f17985d5bb0598a3f6e61b09589

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page