Gitlab Pre-Receive Hook

A Gitlab pre-receive hook prevents software developers from pushing commits to Gitlab if Code Security found security issues in the code.

Prerequisites

  • The Gitlab instance must be installed on a Linux server.

  • Code Security must be installed on the same Linux server as the Gitlab instance. See Getting Started with Code Security.

Configuration

Create a configuration file and install it as a server hook on the Gitlab Linux server.

  1. On the Gitlab server, create a configuration file in one of these directories:

    • in your home directory: .spectral/git-hook

      for example: /var/opt/gitlab/.spectral/git-hook/config.yml

    • /etc/spectral/git-hook

  2. Add parameters to the configuration file. The required parameters are spectral_ds and gitlab_host.

    # file name for log, must be writable by "git" user hook_logfile: /var/log/gitlab/hook.log # optional, but recommended # logging level. For debugging purposes level 6 can be used log_level: 3 # optional, default is 3 (show errors) spectral_dsn: https://spk-******@get.spectralops.io # REQUIRED # Path to spectral scanner executable. The default is "spectral" # which works if "spectral" binary containing directory is listed in PATH environment variable. # It is required to be installed into your gitlab instance. # For installation instructions under your account at get.spectralops.io press "add sources" , then "use CLI", # then "local repos". spectral_binary: spectral # optional, default is "spectral" # Additional arguments to "spectral history" command, for instance, to exclude some checks. Use with caution! spectral_args: [] # optional, array of strings # stop execution after specified number of seconds; child process `spectral` will also be killed exec_timeout: 30 # optional, seconds (int), default is 30 # if this string appears in any of the commit messages being pushed, git hook will skip scanning; # use it with caution when you are sure that commits trigger false positive and ONLY false positive scan results; # likely, you may want to alter the latest commit message with "amend" commit to skip scanning skip_scan_keyword: ~ # string, default "skip-spectral-pre-receive" # gitlab server host url gitlab_host: http://your-own-gitlab-server.com # REQUIRED

  3. Download the Gitlab pre receive hook.

  4. Install the Gitlab pre-receive hook as a server hook.

    Best Practice - Install the Gitlab pre-receive hook globally for all repositories.

Logging

Spectral pre-receive hook allows you to enable the hook logs from the configuration file when the pre-receive hook is triggered.

Before enabling the hook logging, make sure that GitLab logrotate is enabled or custom logrotate that you manage in the server. See the GitLab log guide for more details.

Spectral pre-receive does not delete or rotate the file that was written in your Gitlab machine.

To enable logging:

In the configure.yaml configuration file, change the value of the hook_logfile parameter to /var/log/gitlab/gitlab-rails.

Note - You can change the value of the hook_logfile parameter to a different path, if logrotate is managed for this path and the path exists in the logrotate.conf file. To get Gitlab the logrotate configuration, run: $ cat /var/opt/gitlab/logrotate/logrotate.conf

To change the number of logs Code Secruity writes to the log file:

In the configure.yaml configuraiton file, change the value of the log_level parameter (default value = 3). To write more logs, increase the value. To write fewer logs, decrease the value.

To disable logging:

In the configure.yaml configuration file, clear the log_level field.