debian-mirror-gitlab/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml

341 lines
11 KiB
YAML
Raw Normal View History

2019-12-04 20:38:33 +05:30
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/
2019-07-07 11:18:12 +05:30
#
# Configure the scanning tool through the environment variables.
# List of the variables: https://gitlab.com/gitlab-org/security-products/sast#settings
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
2019-12-21 20:55:43 +05:30
variables:
2020-05-24 23:13:21 +05:30
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
2021-03-11 19:13:27 +05:30
SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, sobelow, pmd-apex, kubesec, mobsf, semgrep"
2021-03-08 18:12:59 +05:30
SAST_EXCLUDED_ANALYZERS: ""
2020-06-23 00:09:42 +05:30
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
2019-12-26 22:10:19 +05:30
SAST_ANALYZER_IMAGE_TAG: 2
2020-01-01 13:55:28 +05:30
SCAN_KUBERNETES_MANIFESTS: "false"
2019-12-21 20:55:43 +05:30
sast:
2019-07-07 11:18:12 +05:30
stage: test
2019-12-04 20:38:33 +05:30
artifacts:
reports:
sast: gl-sast-report.json
2020-05-24 23:13:21 +05:30
rules:
2020-11-24 15:15:51 +05:30
- when: never
2019-07-07 11:18:12 +05:30
variables:
2020-05-24 23:13:21 +05:30
SEARCH_MAX_DEPTH: 4
2019-07-07 11:18:12 +05:30
script:
2020-11-24 15:15:51 +05:30
- echo "$CI_JOB_NAME is used for configuration only, and its script should not be executed"
- exit 1
2019-12-04 20:38:33 +05:30
2020-01-01 13:55:28 +05:30
.sast-analyzer:
2019-12-21 20:55:43 +05:30
extends: sast
2020-11-24 15:15:51 +05:30
allow_failure: true
2021-02-22 17:27:13 +05:30
# `rules` must be overridden explicitly by each child job
# see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
2019-12-04 20:38:33 +05:30
script:
- /analyzer run
bandit-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-11-24 15:15:51 +05:30
name: "$SAST_ANALYZER_IMAGE"
variables:
2021-04-17 20:07:23 +05:30
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
2020-11-24 15:15:51 +05:30
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
2020-11-24 15:15:51 +05:30
- if: $SAST_DISABLED
2020-05-24 23:13:21 +05:30
when: never
2021-03-08 18:12:59 +05:30
- if: $SAST_EXCLUDED_ANALYZERS =~ /bandit/
when: never
2020-05-24 23:13:21 +05:30
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /bandit/
exists:
- '**/*.py'
2019-12-04 20:38:33 +05:30
brakeman-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-11-24 15:15:51 +05:30
name: "$SAST_ANALYZER_IMAGE"
variables:
2021-04-17 20:07:23 +05:30
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
2020-11-24 15:15:51 +05:30
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
2020-11-24 15:15:51 +05:30
- if: $SAST_DISABLED
2020-05-24 23:13:21 +05:30
when: never
2021-03-08 18:12:59 +05:30
- if: $SAST_EXCLUDED_ANALYZERS =~ /brakeman/
when: never
2020-05-24 23:13:21 +05:30
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /brakeman/
exists:
2021-03-11 19:13:27 +05:30
- '**/*.rb'
- '**/Gemfile'
2019-12-04 20:38:33 +05:30
eslint-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-11-24 15:15:51 +05:30
name: "$SAST_ANALYZER_IMAGE"
variables:
2021-04-17 20:07:23 +05:30
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
2020-11-24 15:15:51 +05:30
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
2020-11-24 15:15:51 +05:30
- if: $SAST_DISABLED
2020-05-24 23:13:21 +05:30
when: never
2021-03-08 18:12:59 +05:30
- if: $SAST_EXCLUDED_ANALYZERS =~ /eslint/
when: never
2020-05-24 23:13:21 +05:30
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /eslint/
exists:
- '**/*.html'
- '**/*.js'
2020-07-28 23:09:34 +05:30
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
2019-12-04 20:38:33 +05:30
flawfinder-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-11-24 15:15:51 +05:30
name: "$SAST_ANALYZER_IMAGE"
variables:
2021-04-17 20:07:23 +05:30
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
2020-11-24 15:15:51 +05:30
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
2020-11-24 15:15:51 +05:30
- if: $SAST_DISABLED
2020-05-24 23:13:21 +05:30
when: never
2021-03-08 18:12:59 +05:30
- if: $SAST_EXCLUDED_ANALYZERS =~ /flawfinder/
when: never
2020-05-24 23:13:21 +05:30
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /flawfinder/
exists:
- '**/*.c'
- '**/*.cpp'
2019-12-04 20:38:33 +05:30
2020-01-01 13:55:28 +05:30
kubesec-sast:
extends: .sast-analyzer
image:
2020-11-24 15:15:51 +05:30
name: "$SAST_ANALYZER_IMAGE"
variables:
2021-04-17 20:07:23 +05:30
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
2020-11-24 15:15:51 +05:30
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
2020-11-24 15:15:51 +05:30
- if: $SAST_DISABLED
2020-05-24 23:13:21 +05:30
when: never
2021-03-08 18:12:59 +05:30
- if: $SAST_EXCLUDED_ANALYZERS =~ /kubesec/
when: never
2020-05-24 23:13:21 +05:30
- if: $CI_COMMIT_BRANCH &&
2020-01-01 13:55:28 +05:30
$SAST_DEFAULT_ANALYZERS =~ /kubesec/ &&
$SCAN_KUBERNETES_MANIFESTS == 'true'
2019-12-04 20:38:33 +05:30
gosec-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-11-24 15:15:51 +05:30
name: "$SAST_ANALYZER_IMAGE"
variables:
2021-04-17 20:07:23 +05:30
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
2020-11-24 15:15:51 +05:30
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
2020-11-24 15:15:51 +05:30
- if: $SAST_DISABLED
2020-05-24 23:13:21 +05:30
when: never
2021-03-08 18:12:59 +05:30
- if: $SAST_EXCLUDED_ANALYZERS =~ /gosec/
when: never
2020-05-24 23:13:21 +05:30
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /gosec/
exists:
- '**/*.go'
2019-12-04 20:38:33 +05:30
2021-06-08 01:23:25 +05:30
.mobsf-sast:
2021-01-03 14:25:43 +05:30
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
2021-04-17 20:07:23 +05:30
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
2021-01-03 14:25:43 +05:30
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG"
2021-06-08 01:23:25 +05:30
mobsf-android-sast:
extends: .mobsf-sast
2021-01-03 14:25:43 +05:30
rules:
- if: $SAST_DISABLED
when: never
2021-03-08 18:12:59 +05:30
- if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/
when: never
2021-01-03 14:25:43 +05:30
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /mobsf/ &&
$SAST_EXPERIMENTAL_FEATURES == 'true'
exists:
2021-06-08 01:23:25 +05:30
- '**/*.apk'
2021-01-03 14:25:43 +05:30
- '**/AndroidManifest.xml'
mobsf-ios-sast:
2021-06-08 01:23:25 +05:30
extends: .mobsf-sast
2021-01-03 14:25:43 +05:30
rules:
- if: $SAST_DISABLED
when: never
2021-03-08 18:12:59 +05:30
- if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/
when: never
2021-01-03 14:25:43 +05:30
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /mobsf/ &&
$SAST_EXPERIMENTAL_FEATURES == 'true'
exists:
2021-06-08 01:23:25 +05:30
- '**/*.ipa'
2021-01-03 14:25:43 +05:30
- '**/*.xcodeproj/*'
2019-12-04 20:38:33 +05:30
nodejs-scan-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-11-24 15:15:51 +05:30
name: "$SAST_ANALYZER_IMAGE"
variables:
2021-04-17 20:07:23 +05:30
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
2020-11-24 15:15:51 +05:30
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
2020-11-24 15:15:51 +05:30
- if: $SAST_DISABLED
2020-05-24 23:13:21 +05:30
when: never
2021-03-08 18:12:59 +05:30
- if: $SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/
when: never
2020-05-24 23:13:21 +05:30
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/
exists:
2021-02-22 17:27:13 +05:30
- '**/package.json'
2019-12-04 20:38:33 +05:30
phpcs-security-audit-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-11-24 15:15:51 +05:30
name: "$SAST_ANALYZER_IMAGE"
variables:
2021-04-17 20:07:23 +05:30
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
2020-11-24 15:15:51 +05:30
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
2020-11-24 15:15:51 +05:30
- if: $SAST_DISABLED
2020-05-24 23:13:21 +05:30
when: never
2021-03-08 18:12:59 +05:30
- if: $SAST_EXCLUDED_ANALYZERS =~ /phpcs-security-audit/
when: never
2020-05-24 23:13:21 +05:30
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/
exists:
- '**/*.php'
2019-12-04 20:38:33 +05:30
pmd-apex-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-11-24 15:15:51 +05:30
name: "$SAST_ANALYZER_IMAGE"
variables:
2021-04-17 20:07:23 +05:30
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
2020-11-24 15:15:51 +05:30
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
2020-11-24 15:15:51 +05:30
- if: $SAST_DISABLED
2020-05-24 23:13:21 +05:30
when: never
2021-03-08 18:12:59 +05:30
- if: $SAST_EXCLUDED_ANALYZERS =~ /pmd-apex/
when: never
2020-05-24 23:13:21 +05:30
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /pmd-apex/
exists:
- '**/*.cls'
2019-12-04 20:38:33 +05:30
security-code-scan-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-11-24 15:15:51 +05:30
name: "$SAST_ANALYZER_IMAGE"
variables:
2021-04-17 20:07:23 +05:30
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
2020-11-24 15:15:51 +05:30
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
2020-11-24 15:15:51 +05:30
- if: $SAST_DISABLED
2020-05-24 23:13:21 +05:30
when: never
2021-03-08 18:12:59 +05:30
- if: $SAST_EXCLUDED_ANALYZERS =~ /security-code-scan/
when: never
2020-05-24 23:13:21 +05:30
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /security-code-scan/
exists:
- '**/*.csproj'
- '**/*.vbproj'
2019-12-04 20:38:33 +05:30
2021-03-11 19:13:27 +05:30
semgrep-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
2021-04-17 20:07:23 +05:30
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
2021-06-08 01:23:25 +05:30
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG"
2021-03-11 19:13:27 +05:30
rules:
- if: $SAST_DISABLED
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/
when: never
- if: $CI_COMMIT_BRANCH &&
2021-06-08 01:23:25 +05:30
$SAST_DEFAULT_ANALYZERS =~ /semgrep/
2021-03-11 19:13:27 +05:30
exists:
- '**/*.py'
2021-04-29 21:17:54 +05:30
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
2021-03-11 19:13:27 +05:30
2019-12-04 20:38:33 +05:30
sobelow-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-11-24 15:15:51 +05:30
name: "$SAST_ANALYZER_IMAGE"
variables:
2021-04-17 20:07:23 +05:30
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
2020-11-24 15:15:51 +05:30
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
2020-11-24 15:15:51 +05:30
- if: $SAST_DISABLED
2020-05-24 23:13:21 +05:30
when: never
2021-03-08 18:12:59 +05:30
- if: $SAST_EXCLUDED_ANALYZERS =~ /sobelow/
when: never
2020-05-24 23:13:21 +05:30
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /sobelow/
exists:
2020-06-23 00:09:42 +05:30
- 'mix.exs'
2019-12-04 20:38:33 +05:30
spotbugs-sast:
2020-01-01 13:55:28 +05:30
extends: .sast-analyzer
2019-12-04 20:38:33 +05:30
image:
2020-11-24 15:15:51 +05:30
name: "$SAST_ANALYZER_IMAGE"
variables:
2021-04-17 20:07:23 +05:30
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
2020-11-24 15:15:51 +05:30
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
rules:
2021-03-08 18:12:59 +05:30
- if: $SAST_EXCLUDED_ANALYZERS =~ /spotbugs/
when: never
2021-01-03 14:25:43 +05:30
- if: $SAST_DEFAULT_ANALYZERS =~ /mobsf/ &&
$SAST_EXPERIMENTAL_FEATURES == 'true'
exists:
- '**/AndroidManifest.xml'
when: never
2020-11-24 15:15:51 +05:30
- if: $SAST_DISABLED
2020-05-24 23:13:21 +05:30
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /spotbugs/
exists:
- '**/*.groovy'
- '**/*.java'
- '**/*.scala'
2021-04-29 21:17:54 +05:30
- '**/*.kt'