StrikeOne Docs

GitLab CI/CD

Overview

A test can be performed externally by authenticating a StrikeOne Admin account from GitLab and then calling the test orchestrator endpoint with the appropiate parameters. The following example job lets users execute tests from GitLab CI/CD.

Remote Test Execution

Overview

In order to execute a test, you will need to have an authorization token. Users can generate API Tokens from the Integrations menu in the StrikeOne settings. The authorization token will allow users to perform any subsequent calls to other endpoints.

After obtaining our authorization token, the test orchestrator must be called. This POST request requires a body with an externalData object containing the fields testName, parsedDomainId, parsedScanId and tool. Both parsed IDs can be obtained directly by going to the Domains or the Scans tab of an asset and copying it from any table element.

The following values are valid for the tool field:

  • openvas
  • owasp_zap
  • dep_check
  • nuclei
  • gitleaks

IMPORTANT

Some tools require or accept extra arguments for their execution. The list is as follows:

  • OWASP Dependency Check (dep_check) and GitLeaks (gitleaks) require an additional toolData object to be included alongside externalData. This object will contain the projectUrl field (the repo URL, including its credentials if required), projectName (the repository's name) and projectBranch (the branch to clone, optional if using curl).

  • Nuclei (nuclei) accepts an additional toolData object to be included alongside externalData. This object may contain the templates field which is a string including the templates to use by Nuclei. This field is concatenated to a string including the -nts flag to be later used when running Nuclei.

If the test was successfully created, /api/vm/tests/external/execute will return a 200 code.

Requirements

None.

Job Example

strikeone-test:
  stage: test
  script:
    - echo "Execute StrikeOne Test"
    - RES=$(curl --request POST https://assessment.strikeone.io/api/vm/tests/external/execute --header "Content-Type:application/json" --header "Authorization:Bearer ${SO_API_TOKEN}" --data-raw '{"externalData":{"testName":"GitLab Test","parsedDomainId":"192079240","parsedScanId":"192079369","tool":"owasp_zap"}}')
    - echo RES is $RES
Last Updated: