Setting up the GitLab Integration with Corgea

Corgea’s GitLab integration allows you to seamlessly connect your GitLab repositories with Corgea’s powerful vulnerability scanning and remediation capabilities. With this integration, you can automatically scan your code for security vulnerabilities during merge requests, and Corgea will provide detailed comments with identified issues and suggested fixes. You can also add repositories from GitLab to Corgea using the Dropsite feature and create Merge Requests directly from Corgea for identified issues.

Prerequisites

Before setting up the GitLab integration, ensure that you have the following:
  1. A Corgea account
  2. A GitLab account with a repository you want to integrate

Setting up the Integration

1

Access Integrations

Log in to your Corgea account and navigate to the “Integrations” section.
2

Add GitLab Integration

Click on the “Add Integration” button and select “GitLab” from the list of available integrations.
3

Configure Integration

In the “Add GitLab Integration” form, provide the following information:
  • Name: A descriptive name for your GitLab integration.
  • GitLab URL: The URL of your GitLab instance (e.g., https://gitlab.com or your self-hosted GitLab URL).
  • Secure Token: A personal access token with the necessary permissions to access your GitLab repository. You can generate a new token by following the GitLab documentation.
  • Comment on Merge Requests: Check this option if you want Corgea to automatically comment on merge requests with identified vulnerabilities and suggested fixes.
4

Save Configuration

Click “Save” to create the GitLab integration.

Setting up GitLab

To enable Corgea to scan your repositories and comment on merge requests, you’ll need to configure a few settings in GitLab:
1

Create Personal Access Token

  1. Log in to your GitLab account
  2. Go to your User Settings > Access Tokens
  3. Create a new token with the following scopes:
    • api (Read/Write API access)
    • read_api
    • read_repository
    • write_repository
  4. Copy the generated token - you’ll need this for the Corgea integration setup
2

Configure Webhook

For Project-level webhook:
  1. Go to your project’s Settings > Webhooks
  2. Add a new webhook with the following settings:
    • URL: https://www.corgea.app/gitlab_webhook/ (or your provided webhook URL)
    • Custom header: Add X-Corgea-UUID with the value found under the integrations setting page > GitLab > View All
    • Select triggers:
      • Merge request events
      • Comments
  3. Click “Add webhook”
For Group-level webhook:
  1. Go to your group’s Settings > Webhooks
  2. Follow the same steps as above
  3. The webhook will apply to all projects in the group
3

Verify Configuration

  1. Create a test merge request
  2. Verify that Corgea receives the webhook and comments on the merge request
  3. Check the webhook’s recent deliveries in GitLab to ensure successful communication

Adding Repositories from GitLab using the Dropsite

1

Access Dropsite

Log in to your Corgea account and navigate to the Dropsite section.
2

Select Connection Method

In the “Add your code” step, select the “Connect Corgea” option.
3

Choose GitLab

Choose the “GitLab” integration from the list of available integrations.
4

Select Repository

Select the repository and branch you want to scan from your GitLab account.
5

Initiate Scan

Click “Confirm” to initiate the scan.
Corgea will retrieve the code from the selected repository and branch, and perform a comprehensive security scan.

Creating Merge Requests from Corgea Issues

When Corgea identifies a security issue and generates a fix, you can create a Merge Request directly from the Issue Details page:
  1. Navigate to the Issue Details page for the vulnerability you want to fix
  2. Look for the “Issue MR” option in the dropdown menu
  3. Click “Issue MR” to have Corgea automatically:
    • Create a new branch based on your configured base branch
    • Commit the fix with a descriptive message
    • Create a Merge Request with the changes
    • Add a detailed comment explaining the vulnerability and fix (if enabled)
The MR link will be displayed on the Issue Details page for easy access. You can then follow your normal GitLab workflow to review and merge the changes.

How the Integration Works

Once the GitLab integration is set up, Corgea will automatically scan your code for vulnerabilities whenever a new merge request is created or updated. Here’s how the integration works:
  1. When a merge request is created or updated in your GitLab repository, Corgea receives a webhook notification from GitLab.
  2. Corgea retrieves the code changes from the merge request and performs a comprehensive security scan.
  3. If any vulnerabilities are detected, Corgea will post a comment on the merge request with details about the identified issues and suggested fixes.
  4. You can review the comments and apply the suggested fixes to remediate the vulnerabilities before merging the code.

Benefits of the GitLab Integration

By integrating Corgea with your GitLab repository, you can enjoy the following benefits:
  • Automated Security Scanning: Corgea automatically scans your code for vulnerabilities during the merge request process, ensuring that security issues are caught early in the development cycle.
  • Detailed Vulnerability Reports: Corgea provides detailed information about identified vulnerabilities, including their severity, location, and potential impact.
  • Suggested Fixes: Corgea not only identifies vulnerabilities but also provides suggested fixes to help you remediate the issues quickly and efficiently.
  • Seamless Integration: The GitLab integration seamlessly integrates with your existing development workflow, minimizing disruptions and ensuring a smooth security review process.
  • Improved Code Quality: By addressing security vulnerabilities early in the development cycle, you can improve the overall quality and security of your codebase.
  • Flexible Scanning Options: In addition to automatic merge request scanning, you can use the Dropsite feature to scan repositories from GitLab on-demand.
  • One-Click Fix Implementation: Create Merge Requests directly from Corgea’s Issue Details page to implement fixes with minimal effort.
By leveraging Corgea’s GitLab integration and the Dropsite feature, you can enhance the security of your applications while streamlining your development processes, ultimately delivering more secure and reliable software to your users.