用gitlab打嗝-有解無憂

我想卑鄙地使用 Burp，它是 portswigger 的新 DAST 工具。
實際上我在 Gitlab CI/CD 中嘗試過，但出現錯誤！即使我在我的服務器上嘗試過。

這就是我在 Gitlab 中使用它的方式：

Burp_DAST:
  stage: dast
  image: docker:stable
  script:
    - |
      docker run --user $(id -u):$(id -g) --rm -v $(pwd):/dastardly -e \
      DASTARDLY_TARGET_URL=$TARGET_URL -e \
      DASTARDLY_OUTPUT_FILE=/dastardly/$CI_PROJECT_NAME-dastardly-report.xml \
      public.ecr.aws/portswigger/dastardly:latest
  artifacts:
    paths:
      - "$CI_PROJECT_NAME-dastardly-report.xml"
    when: always

我有這個錯誤：

2022-11-01 12:03:09 INFO  dastardly.EventLogPrinter - Nov 01 2022 11:52:22 INFORMATION Audit started.
2022-11-01 12:03:09 INFO  dastardly.EventLogPrinter - Nov 01 2022 11:52:23 ERROR Could not start Burp's browser sandbox because you are running as root. Either switch to running as an unprivileged user or allow running without sandbox.
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Failing build as scanner identified issue(s) with severity higher than "INFO":
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Path: / Issue Type: Cross-origin resource sharing: arbitrary origin trusted Severity: HIGH
2022-11-01 12:03:09 ERROR dastardly.ScanFinishedHandler - Path: /robots.txt Issue Type: Cross-origin resource sharing: arbitrary origin trusted Severity: HIGH
2022-11-01 12:03:10 INFO  bsee.BurpProcess.scan.scan-1 - Deleting temporary files - please wait ... done.

編輯

我確實在我的服務器上嘗試過，發現如果您使用除 root 以外的任何 sudoer 用戶運行它，它會正常作業。這是我使用的命令：

 sudo docker run --user $(id -u):$(id -g) --rm -v $(pwd):/dastardly -e DASTARDLY_TARGET_URL=$TAGET_URL -e DASTARDLY_OUTPUT_FILE=/dastardly/dastardly-report.xml public.ecr.aws/portswigger/dastardly:latest

所以我需要如何在 Gitlab 中執行此操作，因為docker:dind使用 root 用戶docker:dind-rootless運行并且在 gitlab 中無法正常作業？

uj5u.com熱心網友回復：

我正在運行腳本來運行 docker-entrypoint.sh 這是我實作的作業 CI。

stages:
    - dastardly

dastardly_burpsuit:
    image: 
        name: public.ecr.aws/portswigger/dastardly:latest
        entrypoint: [""]
    stage: dastardly
    variables:
        # No need to clone the repo, we exclusively work on artifacts.  See
        # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
        GIT_STRATEGY: none
        DASTARDLY_TARGET_URL: "https://ginandjuice.shop"
        DASTARDLY_OUTPUT_FILE: "$CI_PROJECT_NAME-dastardly-report.xml"
    artifacts:
      paths:
      - "$CI_PROJECT_NAME-dastardly-report.xml"
      when: always
    script:
        - "/bin/bash /usr/local/bin/docker-entrypoint.sh dastardly"

轉載請註明出處，本文鏈接：https://www.uj5u.com/caozuo/529524.html

標籤：安全GitLab开发运维gitlab-ci打嗝

上一篇：Java中的MessageDigest到C#

下一篇：如果我構建SDK，是否有必要實作證書固定？