2019-12-04 20:38:33 +05:30
|
|
|
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/
|
2019-07-07 11:18:12 +05:30
|
|
|
#
|
2021-09-04 01:27:46 +05:30
|
|
|
# Configure dependency scanning with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/README.html).
|
|
|
|
|
# List of available variables: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html#available-variables
|
2019-07-07 11:18:12 +05:30
|
|
|
|
2019-12-26 22:10:19 +05:30
|
|
|
variables:
|
2020-05-24 23:13:21 +05:30
|
|
|
# Setting this variable will affect all Security templates
|
|
|
|
|
# (SAST, Dependency Scanning, ...)
|
|
|
|
|
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
|
2020-01-01 13:55:28 +05:30
|
|
|
DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
|
2021-06-08 01:23:25 +05:30
|
|
|
DS_EXCLUDED_ANALYZERS: ""
|
2020-06-23 00:09:42 +05:30
|
|
|
DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
|
2019-12-26 22:10:19 +05:30
|
|
|
DS_MAJOR_VERSION: 2
|
|
|
|
|
|
2019-07-07 11:18:12 +05:30
|
|
|
dependency_scanning:
|
|
|
|
|
stage: test
|
|
|
|
|
script:
|
2020-11-24 15:15:51 +05:30
|
|
|
- echo "$CI_JOB_NAME is used for configuration only, and its script should not be executed"
|
|
|
|
|
- exit 1
|
2019-07-07 11:18:12 +05:30
|
|
|
artifacts:
|
|
|
|
|
reports:
|
|
|
|
|
dependency_scanning: gl-dependency-scanning-report.json
|
|
|
|
|
dependencies: []
|
2020-05-24 23:13:21 +05:30
|
|
|
rules:
|
2020-11-24 15:15:51 +05:30
|
|
|
- when: never
|
2019-12-26 22:10:19 +05:30
|
|
|
|
2020-01-01 13:55:28 +05:30
|
|
|
.ds-analyzer:
|
2019-12-26 22:10:19 +05:30
|
|
|
extends: dependency_scanning
|
2020-11-24 15:15:51 +05:30
|
|
|
allow_failure: true
|
2021-02-22 17:27:13 +05:30
|
|
|
# `rules` must be overridden explicitly by each child job
|
|
|
|
|
# see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
|
2019-12-26 22:10:19 +05:30
|
|
|
script:
|
|
|
|
|
- /analyzer run
|
|
|
|
|
|
|
|
|
|
gemnasium-dependency_scanning:
|
2020-01-01 13:55:28 +05:30
|
|
|
extends: .ds-analyzer
|
2019-12-26 22:10:19 +05:30
|
|
|
image:
|
2020-11-24 15:15:51 +05:30
|
|
|
name: "$DS_ANALYZER_IMAGE"
|
|
|
|
|
variables:
|
2021-04-17 20:07:23 +05:30
|
|
|
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
|
|
|
|
|
# override the analyzer image with a custom value. This may be subject to change or
|
|
|
|
|
# breakage across GitLab releases.
|
2020-11-24 15:15:51 +05:30
|
|
|
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
|
2020-05-24 23:13:21 +05:30
|
|
|
rules:
|
2020-11-24 15:15:51 +05:30
|
|
|
- if: $DEPENDENCY_SCANNING_DISABLED
|
2020-05-24 23:13:21 +05:30
|
|
|
when: never
|
2021-06-08 01:23:25 +05:30
|
|
|
- if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/
|
|
|
|
|
when: never
|
2020-05-24 23:13:21 +05:30
|
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
|
|
|
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
|
|
|
|
|
$DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/
|
|
|
|
|
exists:
|
|
|
|
|
- '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
|
|
|
|
|
- '{composer.lock,*/composer.lock,*/*/composer.lock}'
|
|
|
|
|
- '{gems.locked,*/gems.locked,*/*/gems.locked}'
|
|
|
|
|
- '{go.sum,*/go.sum,*/*/go.sum}'
|
|
|
|
|
- '{npm-shrinkwrap.json,*/npm-shrinkwrap.json,*/*/npm-shrinkwrap.json}'
|
|
|
|
|
- '{package-lock.json,*/package-lock.json,*/*/package-lock.json}'
|
|
|
|
|
- '{yarn.lock,*/yarn.lock,*/*/yarn.lock}'
|
2020-10-24 23:57:45 +05:30
|
|
|
- '{packages.lock.json,*/packages.lock.json,*/*/packages.lock.json}'
|
2020-11-24 15:15:51 +05:30
|
|
|
- '{conan.lock,*/conan.lock,*/*/conan.lock}'
|
2019-12-26 22:10:19 +05:30
|
|
|
|
|
|
|
|
gemnasium-maven-dependency_scanning:
|
2020-01-01 13:55:28 +05:30
|
|
|
extends: .ds-analyzer
|
2019-12-26 22:10:19 +05:30
|
|
|
image:
|
2020-11-24 15:15:51 +05:30
|
|
|
name: "$DS_ANALYZER_IMAGE"
|
|
|
|
|
variables:
|
2021-04-17 20:07:23 +05:30
|
|
|
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
|
|
|
|
|
# override the analyzer image with a custom value. This may be subject to change or
|
|
|
|
|
# breakage across GitLab releases.
|
2020-11-24 15:15:51 +05:30
|
|
|
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
|
2020-05-24 23:13:21 +05:30
|
|
|
rules:
|
2020-11-24 15:15:51 +05:30
|
|
|
- if: $DEPENDENCY_SCANNING_DISABLED
|
2020-05-24 23:13:21 +05:30
|
|
|
when: never
|
2021-06-08 01:23:25 +05:30
|
|
|
- if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-maven/
|
|
|
|
|
when: never
|
2020-05-24 23:13:21 +05:30
|
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
|
|
|
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
|
|
|
|
|
$DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/
|
|
|
|
|
exists:
|
|
|
|
|
- '{build.gradle,*/build.gradle,*/*/build.gradle}'
|
2020-06-23 00:09:42 +05:30
|
|
|
- '{build.gradle.kts,*/build.gradle.kts,*/*/build.gradle.kts}'
|
2020-05-24 23:13:21 +05:30
|
|
|
- '{build.sbt,*/build.sbt,*/*/build.sbt}'
|
|
|
|
|
- '{pom.xml,*/pom.xml,*/*/pom.xml}'
|
2019-12-26 22:10:19 +05:30
|
|
|
|
|
|
|
|
gemnasium-python-dependency_scanning:
|
2020-01-01 13:55:28 +05:30
|
|
|
extends: .ds-analyzer
|
2019-12-26 22:10:19 +05:30
|
|
|
image:
|
2020-11-24 15:15:51 +05:30
|
|
|
name: "$DS_ANALYZER_IMAGE"
|
|
|
|
|
variables:
|
2021-04-17 20:07:23 +05:30
|
|
|
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
|
|
|
|
|
# override the analyzer image with a custom value. This may be subject to change or
|
|
|
|
|
# breakage across GitLab releases.
|
2020-11-24 15:15:51 +05:30
|
|
|
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
|
2020-05-24 23:13:21 +05:30
|
|
|
rules:
|
2020-11-24 15:15:51 +05:30
|
|
|
- if: $DEPENDENCY_SCANNING_DISABLED
|
2020-05-24 23:13:21 +05:30
|
|
|
when: never
|
2021-06-08 01:23:25 +05:30
|
|
|
- if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/
|
|
|
|
|
when: never
|
2020-05-24 23:13:21 +05:30
|
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
|
|
|
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
|
|
|
|
|
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/
|
|
|
|
|
exists:
|
|
|
|
|
- '{requirements.txt,*/requirements.txt,*/*/requirements.txt}'
|
|
|
|
|
- '{requirements.pip,*/requirements.pip,*/*/requirements.pip}'
|
|
|
|
|
- '{Pipfile,*/Pipfile,*/*/Pipfile}'
|
|
|
|
|
- '{requires.txt,*/requires.txt,*/*/requires.txt}'
|
|
|
|
|
- '{setup.py,*/setup.py,*/*/setup.py}'
|
2020-10-24 23:57:45 +05:30
|
|
|
# Support passing of $PIP_REQUIREMENTS_FILE
|
|
|
|
|
# See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning
|
2020-05-24 23:13:21 +05:30
|
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
|
|
|
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
|
|
|
|
|
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
|
|
|
|
|
$PIP_REQUIREMENTS_FILE
|
2019-12-26 22:10:19 +05:30
|
|
|
|
|
|
|
|
bundler-audit-dependency_scanning:
|
2020-01-01 13:55:28 +05:30
|
|
|
extends: .ds-analyzer
|
2019-12-26 22:10:19 +05:30
|
|
|
image:
|
2020-11-24 15:15:51 +05:30
|
|
|
name: "$DS_ANALYZER_IMAGE"
|
|
|
|
|
variables:
|
2021-04-17 20:07:23 +05:30
|
|
|
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
|
|
|
|
|
# override the analyzer image with a custom value. This may be subject to change or
|
|
|
|
|
# breakage across GitLab releases.
|
2020-11-24 15:15:51 +05:30
|
|
|
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
|
2020-05-24 23:13:21 +05:30
|
|
|
rules:
|
2020-11-24 15:15:51 +05:30
|
|
|
- if: $DEPENDENCY_SCANNING_DISABLED
|
2020-05-24 23:13:21 +05:30
|
|
|
when: never
|
2021-06-08 01:23:25 +05:30
|
|
|
- if: $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/
|
|
|
|
|
when: never
|
2020-05-24 23:13:21 +05:30
|
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
|
|
|
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
|
|
|
|
|
$DS_DEFAULT_ANALYZERS =~ /bundler-audit/
|
|
|
|
|
exists:
|
|
|
|
|
- '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
|
2019-12-26 22:10:19 +05:30
|
|
|
|
|
|
|
|
retire-js-dependency_scanning:
|
2020-01-01 13:55:28 +05:30
|
|
|
extends: .ds-analyzer
|
2019-12-26 22:10:19 +05:30
|
|
|
image:
|
2020-11-24 15:15:51 +05:30
|
|
|
name: "$DS_ANALYZER_IMAGE"
|
|
|
|
|
variables:
|
2021-04-17 20:07:23 +05:30
|
|
|
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
|
|
|
|
|
# override the analyzer image with a custom value. This may be subject to change or
|
|
|
|
|
# breakage across GitLab releases.
|
2020-11-24 15:15:51 +05:30
|
|
|
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
|
2020-05-24 23:13:21 +05:30
|
|
|
rules:
|
2020-11-24 15:15:51 +05:30
|
|
|
- if: $DEPENDENCY_SCANNING_DISABLED
|
2020-05-24 23:13:21 +05:30
|
|
|
when: never
|
2021-06-08 01:23:25 +05:30
|
|
|
- if: $DS_EXCLUDED_ANALYZERS =~ /retire.js/
|
|
|
|
|
when: never
|
2020-05-24 23:13:21 +05:30
|
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
|
|
|
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
|
|
|
|
|
$DS_DEFAULT_ANALYZERS =~ /retire.js/
|
|
|
|
|
exists:
|
|
|
|
|
- '{package.json,*/package.json,*/*/package.json}'
|
