gitlabgitlab-ciopenapifuzzing

How to set up Web API Fuzzing in Gitlab in a repository with multiple services?


I have a repository that has multiple microservices in it. As part of that, each service has its own OpenAPI 3.0 spec.

There is only one .gitlab-ci.yaml file in the repository, but it is not clear in the existing documentation on how to have separate configurations for each service.

Has anyone done this before or have a suggestion for a work around?


Solution

  • The logic for running the Fuzz Testing is configured within the API-Fuzzing.gitlab-ci.yml template, and you can view the included logic within that template here: https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml

    Within that template, you can see that there is one job included: apifuzzer_fuzz. Each job can run one fuzz test, so if you want to run multiple fuzz tests for multiple services, you can simply create new jobs using the extends: apifuzzer_fuzz keyword in your .gitlab-ci.yml file. You can pass each job it's own variables to control what is being tested. If you want, you can turn off the existing job as well, to making naming easier to read. Example:

    include:
      template: API-Fuzzing.gitlab-ci.yml
    
    # disable the existing job so that names make more sense
    apifuzzer_fuzz:
      rules:
        - when: never
    
    fuzz_microservice_one:
      extends: apifuzzer_fuzz
      variables:
        FUZZAPI_TARGET_URL: https://my-microservice-1.com
        FUZZAPI_OPENAPI: my-spec.json
    
    fuzz_microservice_two:
      extends: apifuzzer_fuzz
      variables:
        FUZZAPI_TARGET_URL: https://my-microservice-2.com
        FUZZAPI_OPENAPI: my-spec-two.json
    

    This can be repeated as many times as needed. Note that gitlab will combine all the security findings from the fuzz scanners into one report, which may make the results a bit interesting to read. GitLab sort of expects that if you have truly separate services to scan that you'll have them in different repositories, so any scans run of a given type are combined into the same report within an MR or on the security dashboard.