Welcome#
GitLab Tanuki Shop is a GitLab-branded version of the OWASP Juice Shop, which is probably the most modern and sophisticated intentionally insecure web application! This project will help you gain a practical understanding of how to use GitLab to shift security left — meaning you find and fix security flaws during development rather than after deployment — with greater visibility and control than typical approaches can provide.
This application is brought to you by GitLab Developer Relations.
What is DevSecOps?#
DevSecOps stands for Development, Security, and Operations. It is the practice of integrating security testing and practices into every phase of the software development lifecycle (SDLC), rather than treating security as a separate step at the end.
In a traditional workflow, developers write code, operations teams deploy it, and security teams audit it after the fact. DevSecOps breaks down these silos by:
- Automating security scans directly in your CI/CD pipeline so vulnerabilities are caught early
- Giving developers actionable feedback on security issues in their merge requests, right where they work
- Enforcing security policies as code so that guardrails are consistent and auditable
- Providing visibility to security teams through dashboards, vulnerability reports, and compliance tools
GitLab is a single platform that unifies all of these capabilities — from source code management and CI/CD to security scanning, policy enforcement, and compliance — eliminating the need to stitch together multiple third-party tools.
Prerequisites#
In order to get started with this tutorial, you will need the following:
Knowledge
- Basic familiarity with Git (cloning, branching, merge requests)
- Basic understanding of CI/CD concepts (pipelines, jobs, stages)
- Basic knowledge of Kubernetes (only if deploying the application)
Software/Tools
- GitLab Ultimate Subscription — a free trial is available and includes all security features used in this tutorial
- Google Kubernetes Engine (GKE) Cluster (optional — only required for deployment and DAST scanning)
- Kubectl (optional — only required for deployment)
- Helm (optional — only required for deployment)
- Google Cloud CLI (
gcloud) (optional — only required for deployment)
GKE Cluster Requirements#
If you plan to deploy the application, you will need a GKE cluster configured as follows:
| Setting | Required Value |
|---|---|
| Cluster type | Standard (not Autopilot) |
| GKE version | 1.24 or later (required for Gateway API support) |
| Gateway API | The GKE Gateway controller must be enabled. It is enabled by default on GKE Standard clusters running version 1.24+. |
| GatewayClass | gke-l7-global-external-managed — this is the default GatewayClass provided by GKE and uses the Google Cloud Global external Application Load Balancer to expose the application |
| Machine type | Any (the application requests 100m CPU / 128Mi memory, so even e2-small nodes are sufficient) |
| Node count | 1 or more |
| Networking | The cluster must allow outbound internet access so the GitLab Agent can connect to kas.gitlab.com, and must be able to provision an external IP via the Gateway |
To create a compatible cluster with the gcloud CLI:
gcloud container clusters create tanuki-shop-cluster \
--zone us-central1-a \
--num-nodes 1 \
--machine-type e2-medium \
--gateway-api standardThe
--gateway-api standardflag ensures the Gateway API CRDs and the GKE Gateway controller are enabled on the cluster. You can verify this after creation by runningkubectl get gatewayclass— you should seegke-l7-global-external-managedin the output.
While other Kubernetes providers (EKS, AKS, self-managed) can work, this tutorial’s instructions and default Helm chart values are written for GKE. If you use a different provider, you will need to install a conformant Gateway API implementation (https://gateway-api.sigs.k8s.io/implementations/) and update the
gatewayClassNameinchart/values.yamlto match your controller.
Skipping Deployment (Static Scanning Only)#
Deploying the application to a Kubernetes cluster is only required for Dynamic Application Security Testing (DAST) and viewing the running application. If you do not have a Kubernetes cluster or prefer to focus on static security scanning, you can skip all deployment-related steps.
To skip deployment and DAST jobs in the pipeline, add the following CI/CD variable to your project:
- Navigate to Settings > CI/CD in your GitLab project
- Expand the Variables section
- Click Add variable
- Set the following:
- Key:
SKIP_DEPLOY - Value:
true - Flags: Uncheck Protect variable if you want it to apply to all branches
- Key:
- Click Add variable
With this variable set, the deploy-kubernetes and dast jobs will be automatically skipped in your pipeline. You can still complete Lessons 1 through 5 — simply skip any steps that reference deploying or accessing the running application.
You can also set this variable on a per-pipeline basis when running a pipeline manually. On the Run Pipeline page, add SKIP_DEPLOY = true under Variables before clicking Run pipeline.
Lessons#
| # | Title | Description |
|---|---|---|
| 1 | Configuring the Demo Application | Import the project and optionally deploy the application to a Kubernetes cluster |
| 2 | Setting up Security Scanners and Policies | Configure GitLab’s built-in security scanners and policy guardrails |
| 3 | Developer Security Workflows | Walk through common developer workflows involving security |
| 4 | Overseeing Security Posture | View vulnerability metrics, the software bill of materials (SBOM), and triage vulnerabilities |
| 5 | GitLab Duo AI Security Features | Use GitLab Duo AI features to explain, detect, and auto-resolve vulnerabilities |
Learning Outcomes#
After completing the lessons above, you will be able to:
- Set up comprehensive security scanning without adding a collection of new tools and processes
- Use a single platform to improve collaboration between developers and application security (AppSec) teams
- Manage all of your application vulnerabilities in one place
- Enable separation of duties and adhere to compliance requirements
- Prevent insecure code from making it into production using policy-based guardrails
- Use AI to understand, triage, and remediate vulnerabilities