Secure Code Commits with GitLab
Transcription
Hi, everyone. Are you ready? My name is Regu, and I'm an enterprise architect with Beyond Identity. I'm going to walk you through a demonstration of Beyond Identity's Secure DevOps Solution Integration with GitLab.
As all of us know, software security and code security is very critical for software supply chain. With all the things going on, one less thing to worry about is your code security, and Beyond Identity can help you to achieve this goal. So, what are the different components of this solution? There are three primary components: One, a Beyond Identity platform authenticator that is deployed on each developer's laptop, two, each developer generates a unique GPG key using the platform authenticator, three, the GitLab repository on CI/CD pipeline setup.
Once these things are taken care of, you are ready to roll. One, you clone the repository, two, you make changes, three, you sign and commit. Once you commit, the CACD pipeline gets triggered on on-demand. Again I repeat, on-demand, the Beyond Identity custom image verifies two things. One, the developer is authorized to do a commit, two, where the keys are valid. If both are valid, the pipeline passes and a happy path. And if any of this does not match, you'll get a red flag, and watch out for red flags.
So, the first step is cloning the repository, so get the code to clone the repository. As you could see, the Readme file, this is the file I'll be using the demo to make modifications and commit. So, on the client side, the platform authenticator, Beyond Identity authenticator you could see once installed and working correctly, we'll be able to launch is it clicking "Open Beyond Identity." And you'll be able to see the different GPG keys, I have more than one.
So, you create a GPG Key and once you have a GPG key, you can actually go and set the repository path. This is the path where you will clone your code. So, once you configure that, you will see this message, you know, saying the repository is configured successfully. So, once that is done, you're all ready to make some changes and go to the flow.
So, when you do the same command, you will actually see the platform authenticator indicating it is used to sign the commit. So, it'll show a Git command. It should actually show, you know, signed and you see the commit and the email.
Now let's go back to the GitLab's site and see what happened to the pipeline. I should see it's running and it'll take a few minutes to complete. And you see it's passed. If you see the detail logs, you should be able to actually see here, right here the commit is signed by an authorized user, verified user.
So, that finishes the cycle. The developer modifies the code, signs the code using Beyond Identity authenticator, the repository, and the pipeline gets triggered because of the CACD pipeline configuration and it is all happy path.
So, now let's try to do it as a different user, okay? So, I'm going to get a configuration with a different user, now let's do the same thing. So, let's go check the pipeline. They're running. And you could see right here it's failed. You can also go have a look at the detail log, and you could see here "Failed to verify this user." This is not an authorized committer.
So, that sums up the demo, one, where the CACD pipeline passes, where the user is authorized to commit and sign, and the second one, the pipeline fails when the user is not an authorized user. So, with this platform authenticator solution, you have a very powerful way of making sure only authorized users can sign and commit code, which is very critical in the supply chain. Thank you.