Capstone Part 3: Security & Quality Gates

GlobalHealth Connect deals with sensitive patient data. In Part 3, we implement the "Guardians" of our pipeline: Security Scanning and Quality Gates.

1. Including Industry Standards

We will use GitLab's official templates to ensure we catch OWASP top 10 vulnerabilities.

include:
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml

2. Enforcing the Quality Gate (Coverage)

If the test coverage of the backend drops below 85%, the pipeline must fail.

test-backend:
  stage: test
  script:
    - npm test -- --coverage
  coverage: '/All files[^|]*\|[^|]*\s+([\d\.]+)/' # Extract % from log
  artifacts:
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage/cobertura-coverage.xml

3. Secret Detection Policy

We configure the secret scanner to be a "Blocker."

secret_detection:
  stage: test
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
      allow_failure: false # Hard fail on secrets!

4. The "Manual Review" Gate

In the GitLab UI, we will configure Merge Request Approvals (Review Module 9).

Any change to backend/auth.ts requires a "Maintainer" sign-off.

Exercise: The Security Sweep

Why is "Secret Detection" more important than "SAST" for a healthcare app? (Review Module 9).
If the Dependency-Scanning find a vulnerability in a library, but there is no update available, what is your triage process? (Review Module 9).
Implement a job called verify-compliance that checks if the LICENSE file exists in the repo.
Search: What is the "GitLab Security Dashboard" and how will it display the results of this Part 3?

Summary

Security is now an automated part of the GlobalHealth Connect lifecycle. By implementing these gates, you ensure that the application is "Private by Design," preventing data leaks and insecure code from ever reaching a live environment.

Next Lesson: Part 4: Multi-Environment Deployment (Staging & Prod).