NERUC implements a mandatory security enforcement layer that prevents vulnerable code and secrets from ever being executed or deployed into any environment. By integrating advanced security scanning directly into your CI/CD pipeline with custom evaluation scripts, we ensure developers catch security issues early in the development cycle.
- Save Hours on Code Reviews: Automated security scanning catches issues that would otherwise require manual review
- Learn Secure Coding: Detailed vulnerability reports with explanations help developers understand and fix security issues
- Zero Vulnerable Code Execution: Custom scripts ensure no code with high-severity vulnerabilities ever runs
- Fast Feedback Loop: Get security feedback within minutes, not days or weeks
- Comprehensive Coverage: Multi-language support with specialized analyzers for different tech stacks
Our enhanced evaluation scripts provide detailed, actionable feedback that helps developers understand and fix security issues:
.evaluate_sast_vulnerabilities: &evaluate_sast_vulnerabilities
- |
python3 - <<'EOF'
# Advanced parsing with detailed reporting
# Shows exact file locations, line numbers, and remediation guidance
# Color-coded output for quick identification
# Severity-based filtering (Critical/High/Medium)
EOFsecret_detection:
script:
- /analyzer run
- |
# Custom evaluation with detailed secret reporting
# Shows exact location of exposed secrets
# Prevents accidental secret commits
# Configurable soft/hard failure modeskics-iac-sast:
script:
- /analyzer run
- *evaluate_kics_vulnerabilities # Custom KICS evaluation| Feature | Standard GitLab | NERUC Enhanced |
|---|---|---|
| Vulnerability Reporting | Basic JSON output | Detailed, formatted reports with file locations |
| Developer Guidance | Generic messages | Specific remediation steps and explanations |
| Severity Filtering | All vulnerabilities | Focus on Critical/High/Medium only |
| Visual Feedback | Plain text | Color-coded, emoji-enhanced output |
| Pipeline Control | Basic pass/fail | Configurable soft/hard failure modes |
# .gitlab-ci.yml
include:
- local: 'security/security-scanning.yml'variables:
SOFT_CHECK: "false" # Set to "true" for development branches
SCAN_KUBERNETES_MANIFESTS: "true" # Enable IaC scanningrules:
- if: $CI_COMMIT_REF_NAME != "main" # Run on all branches except main
- if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME # Run on merge requests- Python: Semgrep, Bandit
- JavaScript/TypeScript: Semgrep, ESLint security rules
- Java: SpotBugs, Semgrep
- Ruby: Brakeman, Semgrep
- PHP: PHPCS Security Audit, Semgrep
- Go: Semgrep, Gosec
- C#: Semgrep, Security Code Scan
- Kubernetes: Kubesec, KICS
- Terraform: KICS, Checkov
- Docker: Trivy, Hadolint
- Helm: KICS, Helm security rules
- API Keys: AWS, Azure, GCP, GitHub, etc.
- Database Credentials: MySQL, PostgreSQL, MongoDB
- Authentication Tokens: JWT, OAuth, Bearer tokens
- Custom Patterns: Organization-specific secret formats
❌ Code Review: 2-3 hours per PR
❌ Security Issues: Found in production
❌ Developer Learning: Trial and error
❌ Feedback Loop: Days/weeks
✅ Code Review: 30 minutes per PR
✅ Security Issues: Caught in development
✅ Developer Learning: Guided remediation
✅ Feedback Loop: Minutes
- Immediate Feedback: Get security insights within minutes of pushing code
- Learning Opportunity: Understand security best practices through detailed reports
- Confidence: Know your code is secure before it reaches production
- Efficiency: Focus on features, not security debugging
- Reduced Review Time: Automated security checks reduce manual review burden
- Consistent Standards: All code follows the same security baseline
- Knowledge Sharing: Security findings help educate the entire team
- Risk Reduction: Prevent security issues from reaching production
- Cost Savings: Catch issues early when they're cheaper to fix
- Compliance: Automated security enforcement for regulatory requirements
- Reputation: Maintain security standards across all projects
- Scalability: Security scales with your development team
Our enhanced scripts provide clear, actionable feedback:
=== Evaluating results... ===
• [High] SQL Injection
Description: User input is used directly in SQL query without proper sanitization
File: src/database.py
Resource: DatabaseConnection
Selector: line 45
• [Critical] Hardcoded Secret
Description: API key is hardcoded in source code
File: config/settings.py
Resource: (none)
Selector: line 23
=== Summary ===
- Critical: 1
- High: 1
- Medium: 0
- Total: 2
❌ Scan failed: vulnerabilities detected!
Please review the findings above and rectify the issues before proceeding.
This new README emphasizes:
- Shift-left approach - catching issues early in development
- Developer benefits - saving time, learning opportunities, confidence
- Custom scripts - detailed evaluation and reporting capabilities
- Zero vulnerable code execution - preventing unsafe code from running
- Time savings - reducing code review burden
- Learning opportunities - helping developers become better at security
- Comprehensive coverage - multiple languages and infrastructure
- Clear benefits - before/after comparisons and specific improvements
The focus is on how NERUC helps developers become better at security while saving time and preventing vulnerable code from ever running.
- SAST Scans: Detect static vulnerabilities in source code
- Secret Detection: Identify accidentally committed secrets
- IaC Security: Scan infrastructure-as-code for misconfigurations
- Custom Evaluations: Advanced analysis with detailed reporting
- Hard Failure: Pipeline stops immediately on any Critical/High vulnerability
- Soft Failure: Pipeline continues but reports issues (configurable per branch)
- Detailed Reporting: Comprehensive vulnerability details with remediation guidance
- Documentation: GitLab SAST Documentation
- Issues: Report problems or suggest improvements
- Contributions: Help enhance the security scripts
- Contact: Reach out for collaboration or questions
Remember: Security is everyone's responsibility. NERUC makes it easier for developers to write secure code and learn from their mistakes before they become production issues.
Built with ❤️ for secure development