Having the ability to codify security controls using customized sets of rules means that your CI/CD pipelines produce repeatable, predictable results, ensuring that your applications follow a consistent path to release.

As we saw with ZAP in Chapter 7, “Baseline Scanning (or, Zap Your Apps),” and as we will see with tooling suggestions in other chapters within this section, there are a number of Open Source tools that can be used to offer return values that will pass or fail a build. In this chapter, we will look at a sophisticated tool called Gauntlt (gauntlt.org), which is perfect for creating extensible rulesets that will improve the security posture of your hosts.

Gauntlt describes itself as a “ruggedization framework that enables security testing that is usable by Devs, Ops and Security.” The documentation notes that it provides hooks into a number of security tools and makes them accessible. The language that is used by Gauntlt is intuitive and should not be a barrier to getting started, even for inexperienced users. Gauntlt, used inside or out of pipelines, is flexible and can be configured to test many different use cases.

Security Tooling

We will start by looking at what we can expect from Gauntlt before installing it and running through some rules.

A key piece of terminology used by Gauntlt is that its tools are described as attack adapters. The website lists adapters for the following attack tools (among others, which we will look at ...