GitLab Integration
DevGuard integrates with GitLab through two authentication methods: Personal Access Token (PAT) or OAuth2. Both methods support gitlab.com and self-hosted GitLab instances.
| Method | Use Case |
|---|---|
| Personal Access Token | Repository access, issue management |
| OAuth2 | Permission sync, External Entity Provider |
Overview
The GitLab PAT integration provides:
- Repository Access: List and import GitLab projects
- Issue Management: Create and update GitLab Issues for vulnerabilities
- Webhook Processing: React to issue and note events in real-time
- CI/CD Integration: Automated scanning via GitLab CI/CD pipelines
How It Works
- Configure Integration: Add your GitLab instance URL and Personal Access Token in DevGuard
- Link Asset: Connect a DevGuard asset to a GitLab project
- Create Issues: Vulnerabilities can be pushed to GitLab Issues for tracking (automatically or manually)
- Sync Status: Changes in either system are synchronized via webhooks
Issue Creation
When a vulnerability is flagged for remediation, DevGuard creates a GitLab issue containing detailed information about the vulnerability, including severity, affected components, and labels for categorization.
Comment Commands
Users can control vulnerability status through issue comments:
| Command | Effect |
|---|---|
/accept <reason> | Accept the vulnerability risk |
/component-not-present <reason> | Mark as false positive |
/vulnerable-code-not-present <reason> | Mark as false positive |
/vulnerable-code-not-in-execute-path <reason> | Mark as false positive |
/vulnerable-code-cannot-be-controlled-by-adversary <reason> | Mark as false positive |
/inline-mitigations-already-exist <reason> | Mark as false positive |
/reopen | Reopen a closed vulnerability |
Webhook Processing
DevGuard processes GitLab webhooks to synchronize issue state changes.
Processed Events
| Event | Action |
|---|---|
| Issue Closed | Vulnerability marked as accepted |
| Issue Reopened | Vulnerability reopened |
| Comment Added | Process slash commands |
Issue State Synchronization
| GitLab Status | DevGuard Interpretation |
|---|---|
| Open | Open vulnerability |
| Closed | Closed vulnerability |
Self-Hosted Instances
GitLab integration fully supports self-hosted GitLab instances:
- Configure your GitLab instance URL in the OAuth2 or Access Token settings
- Multiple GitLab instances can be connected simultaneously
- Each instance is treated as a separate External Entity Provider
Testing the Integration
When saving a new GitLab integration, DevGuard performs a test connection to validate the provided credentials and permissions. If the test fails, an error message will indicate the issue.
Related Documentation
- Setup GitLab Integration — Step-by-step setup guide
- GitLab Permission Sync — Configure permission synchronization
- GitLab Webhooks — Configure webhooks
- External Entity Providers — Understanding external entities