debian-mirror-gitlab/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml

180 lines
6.5 KiB
YAML
Raw Normal View History

2019-12-04 20:38:33 +05:30
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/
2019-07-07 11:18:12 +05:30
#
# Configure the scanning tool through the environment variables.
# List of the variables: https://gitlab.com/gitlab-org/security-products/dependency-scanning#settings
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
2019-12-26 22:10:19 +05:30
variables:
2020-05-24 23:13:21 +05:30
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
2020-01-01 13:55:28 +05:30
DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
2020-06-23 00:09:42 +05:30
DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
2019-12-26 22:10:19 +05:30
DS_MAJOR_VERSION: 2
2020-05-24 23:13:21 +05:30
DS_DISABLE_DIND: "true"
2019-12-26 22:10:19 +05:30
2019-07-07 11:18:12 +05:30
dependency_scanning:
stage: test
image: docker:stable
variables:
DOCKER_DRIVER: overlay2
2019-09-30 21:07:59 +05:30
DOCKER_TLS_CERTDIR: ""
2019-07-07 11:18:12 +05:30
allow_failure: true
services:
- docker:stable-dind
script:
- |
if ! docker info &>/dev/null; then
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
export DOCKER_HOST='tcp://localhost:2375'
fi
fi
2019-07-31 22:56:46 +05:30
- | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
function propagate_env_vars() {
CURRENT_ENV=$(printenv)
for VAR_NAME; do
echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
done
}
2019-07-07 11:18:12 +05:30
- |
docker run \
2019-07-31 22:56:46 +05:30
$(propagate_env_vars \
DS_ANALYZER_IMAGES \
2020-07-28 23:09:34 +05:30
SECURE_ANALYZERS_PREFIX \
2019-07-31 22:56:46 +05:30
DS_ANALYZER_IMAGE_TAG \
DS_DEFAULT_ANALYZERS \
DS_EXCLUDED_PATHS \
DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
DS_PULL_ANALYZER_IMAGE_TIMEOUT \
DS_RUN_ANALYZER_TIMEOUT \
2019-09-30 21:07:59 +05:30
DS_PYTHON_VERSION \
2020-01-01 13:55:28 +05:30
DS_PIP_VERSION \
2019-10-12 21:52:04 +05:30
DS_PIP_DEPENDENCY_PATH \
2020-07-28 23:09:34 +05:30
DS_JAVA_VERSION \
2020-03-13 15:44:24 +05:30
GEMNASIUM_DB_LOCAL_PATH \
GEMNASIUM_DB_REMOTE_URL \
GEMNASIUM_DB_REF_NAME \
2019-09-30 21:07:59 +05:30
PIP_INDEX_URL \
PIP_EXTRA_INDEX_URL \
2020-01-01 13:55:28 +05:30
PIP_REQUIREMENTS_FILE \
2019-12-26 22:10:19 +05:30
MAVEN_CLI_OPTS \
2020-04-22 19:07:51 +05:30
GRADLE_CLI_OPTS \
SBT_CLI_OPTS \
2020-01-01 13:55:28 +05:30
BUNDLER_AUDIT_UPDATE_DISABLED \
2020-03-13 15:44:24 +05:30
BUNDLER_AUDIT_ADVISORY_DB_URL \
BUNDLER_AUDIT_ADVISORY_DB_REF_NAME \
2020-04-08 14:13:33 +05:30
RETIREJS_JS_ADVISORY_DB \
RETIREJS_NODE_ADVISORY_DB \
2020-04-22 19:07:51 +05:30
DS_REMEDIATE \
2019-07-31 22:56:46 +05:30
) \
2019-07-07 11:18:12 +05:30
--volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \
2020-05-24 23:13:21 +05:30
"registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_MAJOR_VERSION" /code
2019-07-07 11:18:12 +05:30
artifacts:
reports:
dependency_scanning: gl-dependency-scanning-report.json
dependencies: []
2020-05-24 23:13:21 +05:30
rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'true'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/
2019-12-26 22:10:19 +05:30
2020-01-01 13:55:28 +05:30
.ds-analyzer:
2019-12-26 22:10:19 +05:30
extends: dependency_scanning
services: []
2020-05-24 23:13:21 +05:30
rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/
2019-12-26 22:10:19 +05:30
script:
- /analyzer run
gemnasium-dependency_scanning:
2020-01-01 13:55:28 +05:30
extends: .ds-analyzer
2019-12-26 22:10:19 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
2020-05-24 23:13:21 +05:30
rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/
exists:
- '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
- '{composer.lock,*/composer.lock,*/*/composer.lock}'
- '{gems.locked,*/gems.locked,*/*/gems.locked}'
- '{go.sum,*/go.sum,*/*/go.sum}'
- '{npm-shrinkwrap.json,*/npm-shrinkwrap.json,*/*/npm-shrinkwrap.json}'
- '{package-lock.json,*/package-lock.json,*/*/package-lock.json}'
- '{yarn.lock,*/yarn.lock,*/*/yarn.lock}'
2020-10-24 23:57:45 +05:30
- '{packages.lock.json,*/packages.lock.json,*/*/packages.lock.json}'
2019-12-26 22:10:19 +05:30
gemnasium-maven-dependency_scanning:
2020-01-01 13:55:28 +05:30
extends: .ds-analyzer
2019-12-26 22:10:19 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
2020-05-24 23:13:21 +05:30
rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/
exists:
- '{build.gradle,*/build.gradle,*/*/build.gradle}'
2020-06-23 00:09:42 +05:30
- '{build.gradle.kts,*/build.gradle.kts,*/*/build.gradle.kts}'
2020-05-24 23:13:21 +05:30
- '{build.sbt,*/build.sbt,*/*/build.sbt}'
- '{pom.xml,*/pom.xml,*/*/pom.xml}'
2019-12-26 22:10:19 +05:30
gemnasium-python-dependency_scanning:
2020-01-01 13:55:28 +05:30
extends: .ds-analyzer
2019-12-26 22:10:19 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
2020-05-24 23:13:21 +05:30
rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/
exists:
- '{requirements.txt,*/requirements.txt,*/*/requirements.txt}'
- '{requirements.pip,*/requirements.pip,*/*/requirements.pip}'
- '{Pipfile,*/Pipfile,*/*/Pipfile}'
- '{requires.txt,*/requires.txt,*/*/requires.txt}'
- '{setup.py,*/setup.py,*/*/setup.py}'
2020-10-24 23:57:45 +05:30
# Support passing of $PIP_REQUIREMENTS_FILE
# See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning
2020-05-24 23:13:21 +05:30
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
$PIP_REQUIREMENTS_FILE
2019-12-26 22:10:19 +05:30
bundler-audit-dependency_scanning:
2020-01-01 13:55:28 +05:30
extends: .ds-analyzer
2019-12-26 22:10:19 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
2020-05-24 23:13:21 +05:30
rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /bundler-audit/
exists:
- '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
2019-12-26 22:10:19 +05:30
retire-js-dependency_scanning:
2020-01-01 13:55:28 +05:30
extends: .ds-analyzer
2019-12-26 22:10:19 +05:30
image:
2020-07-28 23:09:34 +05:30
name: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
2020-05-24 23:13:21 +05:30
rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /retire.js/
exists:
- '{package.json,*/package.json,*/*/package.json}'