debian-mirror-gitlab/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml

219 lines
6.2 KiB
YAML
Raw Normal View History

2019-12-04 20:38:33 +05:30
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/
2019-07-07 11:18:12 +05:30
#
# Configure the scanning tool through the environment variables.
# List of the variables: https://gitlab.com/gitlab-org/security-products/sast#settings
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
2019-12-21 20:55:43 +05:30
variables:
2020-05-24 23:13:21 +05:30
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
2020-07-28 23:09:34 +05:30
SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kubesec"
2020-06-23 00:09:42 +05:30
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
2019-12-26 22:10:19 +05:30
SAST_ANALYZER_IMAGE_TAG: 2
2020-05-24 23:13:21 +05:30
SAST_DISABLE_DIND: "true"
2020-01-01 13:55:28 +05:30
SCAN_KUBERNETES_MANIFESTS: "false"
2019-12-21 20:55:43 +05:30
sast:
2019-07-07 11:18:12 +05:30
stage: test
2019-12-04 20:38:33 +05:30
allow_failure: true
artifacts:
reports:
sast: gl-sast-report.json
2020-05-24 23:13:21 +05:30
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'true'
when: never
- if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast\b/
2019-07-07 11:18:12 +05:30
image: docker:stable
variables:
2020-05-24 23:13:21 +05:30
SEARCH_MAX_DEPTH: 4
2019-07-07 11:18:12 +05:30
DOCKER_DRIVER: overlay2
2019-09-30 21:07:59 +05:30
DOCKER_TLS_CERTDIR: ""
2019-07-07 11:18:12 +05:30
services:
- docker:stable-dind
script:
- |
if ! docker info &>/dev/null; then
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
export DOCKER_HOST='tcp://localhost:2375'
fi
fi
2019-12-26 22:10:19 +05:30
- |
2020-04-22 19:07:51 +05:30
docker run \
$(awk 'BEGIN{for(v in ENVIRON) print v}' | grep -v -E '^(DOCKER_|CI|GITLAB_|FF_|HOME|PWD|OLDPWD|PATH|SHLVL|HOSTNAME)' | awk '{printf " -e %s", $0}') \
2019-07-07 11:18:12 +05:30
--volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \
2020-05-24 23:13:21 +05:30
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_ANALYZER_IMAGE_TAG" /app/bin/run /code
2019-12-04 20:38:33 +05:30
2020-01-01 13:55:28 +05:30
.sast-analyzer:
2019-12-21 20:55:43 +05:30
extends: sast
services: []
2020-05-24 23:13:21 +05:30
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
2020-10-24 23:57:45 +05:30
- if: $CI_COMMIT_BRANCH
2019-12-04 20:38:33 +05:30
script:
- /analyzer run
bandit-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /bandit/
exists:
- '**/*.py'
2019-12-04 20:38:33 +05:30
brakeman-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /brakeman/
exists:
2020-06-23 00:09:42 +05:30
- 'config/routes.rb'
2019-12-04 20:38:33 +05:30
eslint-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /eslint/
exists:
- '**/*.html'
- '**/*.js'
2020-07-28 23:09:34 +05:30
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
2019-12-04 20:38:33 +05:30
flawfinder-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /flawfinder/
exists:
- '**/*.c'
- '**/*.cpp'
2019-12-04 20:38:33 +05:30
2020-01-01 13:55:28 +05:30
kubesec-sast:
extends: .sast-analyzer
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
2020-01-01 13:55:28 +05:30
$SAST_DEFAULT_ANALYZERS =~ /kubesec/ &&
$SCAN_KUBERNETES_MANIFESTS == 'true'
2019-12-04 20:38:33 +05:30
gosec-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /gosec/
exists:
- '**/*.go'
2019-12-04 20:38:33 +05:30
nodejs-scan-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/
exists:
2020-06-23 00:09:42 +05:30
- 'package.json'
2019-12-04 20:38:33 +05:30
phpcs-security-audit-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/
exists:
- '**/*.php'
2019-12-04 20:38:33 +05:30
pmd-apex-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /pmd-apex/
exists:
- '**/*.cls'
2019-12-04 20:38:33 +05:30
secrets-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
2019-12-21 20:55:43 +05:30
$SAST_DEFAULT_ANALYZERS =~ /secrets/
2019-12-04 20:38:33 +05:30
security-code-scan-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /security-code-scan/
exists:
- '**/*.csproj'
- '**/*.vbproj'
2019-12-04 20:38:33 +05:30
sobelow-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /sobelow/
exists:
2020-06-23 00:09:42 +05:30
- 'mix.exs'
2019-12-04 20:38:33 +05:30
spotbugs-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /spotbugs/
exists:
- '**/*.groovy'
- '**/*.java'
- '**/*.scala'