Skip to content
/ nagios_check_gitlab_vulnerability_report Public

Monitor the vulnerabilities in Gitlab generated vulnerability reports

1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

GEANT/nagios_check_gitlab_vulnerability_report

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
README.md
README.md
 
 
check_gitlab_vuln_report.py
check_gitlab_vuln_report.py
 
 

Repository files navigation

nagios_check_gitlab_vulnerability_report

Nagios plugin to monitor the vulnerabilities in Gitlab generated vulnerability reports.

Currently supported:

  • Monitoring the absolute number of reported vulnerabilities
  • Monitoring the increase in number of reported vulnerabilties, compared to the previous check.
  • Filtering on severity
  • Filtering on status

Usage

usage: check_gitlab_vuln_report.py [-h] --api API --token TOKEN [--diff]
                                   [--warn WARN] [--crit CRIT]
                                   [--severity SEVERITY] [--status STATUS]
                                   [--cachedir CACHEDIR] [--verbose]

Monitor the vulnerabilities in Gitlab generated reports.

optional arguments:
  -h, --help            show this help message and exit
  --api API             The API URL to use. See https://docs.gitlab.com/ee/api
                        /vulnerability_exports.html for examples. This can use
                        project, group, or instance level reports. Example: "h
                        ttps://gitlab.my.org/api/v4/groups/234/vulnerability_e
                        xports".
  --token TOKEN         Access token to use. This can be a personal access
                        token, and requires the "api" scope. Read https://asse
                        ts.nagios.com/downloads/nagioscore/docs/nagioscore/4/e
                        n/security.html#bestpractices when using Nagios.
  --diff                Instead of the absolute number of vulnerabilties in
                        the report, use the difference compared to the
                        previous report. This effectively means you just see
                        the changes. A cache file will be used to store the
                        relevant report details for comparison between checks.
                        See also the '--cachedir' option.
  --warn WARN, -w WARN  Number of found vulnerabilities that should result in
                        a WARNING (default: 1)).
  --crit CRIT, -c CRIT  Number of found vulnerabilities that should result in
                        a CRITICAL (default: 3)).
  --severity SEVERITY   Comma separated list of vulnerability severities to
                        take into account. Options: info, unknown, low,
                        medium, high, criticial. Default: "high,critical".
  --status STATUS       Comma separated list of vulnerability statuses to take
                        into account. Options: detected, confirmed, dismissed,
                        resolved. Default: "detected,confirmed".
  --cachedir CACHEDIR   Which directory to use for storing cached content
                        (default: "/tmp").
  --verbose             Show verbose output.

Examples

# Basic use
./check_gitlab_vuln_report.py.py \
 --api https://gitlab.my.org/api/v4/security/groups/1234/vulnerability_exports \
 --token hackme
CRITICAL: Found 8 issues with severity high or critical, and status detected or confirmed
See the entire report at https://gitlab.my.org/api/v4/security/vulnerability_exports/123/download

# Relaxed thresholds
./check_gitlab_vuln_report.py.py \
 --api https://gitlab.my.org/api/v4/security/groups/1234/vulnerability_exports \
 --token hackme \
 --warn 5 \
 --crit 10
WARNING: Found 8 issues with severity high or critical, and status detected or confirmed
See the entire report at https://gitlab.my.org/api/v4/security/vulnerability_exports/123/download

# More relaxed thresholds
./check_gitlab_vuln_report.py.py \
 --api https://gitlab.my.org/api/v4/security/groups/1234/vulnerability_exports \
 --token hackme \
 --warn 10 \
 --crit 20
OK: Found 8 issues with severity high or critical, and status detected or confirmed
See the entire report at https://gitlab.my.org/api/v4/security/vulnerability_exports/123/download

# Only report changes (first check)
./check_gitlab_vuln_report.py.py \
 --api https://gitlab.my.org/api/v4/security/groups/1234/vulnerability_exports \
 --token hackme \
 --diff
UNKNOWN: No cache file yet, generating it for next use

# Subsequent runs
./check_gitlab_vuln_report.py.py \
 --api https://gitlab.my.org/api/v4/security/groups/1234/vulnerability_exports \
 --token hackme \
 --diff
OK: No changes compared to previous check
See the entire report at https://gitlab.my.org/api/v4/security/vulnerability_exports/123/download

# A new/extra vulnerabiltity was found
./check_gitlab_vuln_report.py.py \
 --api https://gitlab.my.org/api/v4/security/groups/1234/vulnerability_exports \
 --token hackme \
 --diff
WARNING: 1 new issue found
[
    {
        "Group Name": "devgroup1",
        "Project Name": "someproject2",
        "Scanner Type": "container_scanning",
        "Scanner Name": "trivy",
        "Status": "detected",
        "Vulnerability": "perl: File::Temp insecure temporary file handling",
        "Details": "_is_safe in the File::Temp module for Perl does not properly handle symlinks.",
        "Additional Info": "perl: File::Temp insecure temporary file handling",
        "Severity": "high",
        "CVE": "CVE-2011-4116",
        "CWE": "",
        "Other Identifiers": ""
    }
]
See the entire report at https://gitlab.my.org/api/v4/security/vulnerability_exports/123/download

About

Monitor the vulnerabilities in Gitlab generated vulnerability reports

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

3 watching

Forks

1 fork
Report repository

Releases 4

Increase backoff factor Latest
Oct 2, 2023
+ 3 releases

Packages

No packages published

Languages