debian-mirror-gitlab/.gitlab/ci/reports.gitlab-ci.yml

179 lines
5.6 KiB
YAML
Raw Normal View History

2019-12-04 20:38:33 +05:30
# include:
2020-03-13 15:44:24 +05:30
# - template: Jobs/Code-Quality.gitlab-ci.yml
2019-12-04 20:38:33 +05:30
# - template: Security/SAST.gitlab-ci.yml
# - template: Security/Dependency-Scanning.gitlab-ci.yml
# - template: Security/DAST.gitlab-ci.yml
2019-07-31 22:56:46 +05:30
2021-03-08 18:12:59 +05:30
# We need to duplicate this job's definition because the rules
# defined in the extended jobs rely on local YAML anchors
# (`*if-default-refs`)
2019-07-31 22:56:46 +05:30
code_quality:
2019-12-04 20:38:33 +05:30
extends:
- .default-retry
2020-03-13 15:44:24 +05:30
- .reports:rules:code_quality
2020-04-22 19:07:51 +05:30
- .use-docker-in-docker
2019-12-04 20:38:33 +05:30
stage: test
2020-04-08 14:13:33 +05:30
needs: []
2019-12-04 20:38:33 +05:30
variables:
2021-01-29 00:20:46 +05:30
CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/ci-cd/codequality:0.85.18"
2019-12-04 20:38:33 +05:30
script:
- |
if ! docker info &>/dev/null; then
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
export DOCKER_HOST='tcp://localhost:2375'
fi
fi
2020-01-01 13:55:28 +05:30
- docker pull --quiet "$CODE_QUALITY_IMAGE"
2019-12-04 20:38:33 +05:30
- docker run
--env SOURCE_CODE="$PWD"
--volume "$PWD":/code
--volume /var/run/docker.sock:/var/run/docker.sock
2020-01-01 13:55:28 +05:30
"$CODE_QUALITY_IMAGE" /code
2019-12-04 20:38:33 +05:30
artifacts:
reports:
codequality: gl-code-quality-report.json
2020-01-01 13:55:28 +05:30
paths:
2020-03-13 15:44:24 +05:30
- gl-code-quality-report.json # GitLab-specific
expire_in: 1 week # GitLab-specific
2019-07-31 22:56:46 +05:30
2021-03-08 18:12:59 +05:30
# We need to duplicate this job's definition because the rules
# defined in the extended jobs rely on local YAML anchors
# (`*if-default-refs`)
2020-04-22 19:07:51 +05:30
.sast:
2019-12-04 20:38:33 +05:30
extends:
- .default-retry
2020-03-13 15:44:24 +05:30
- .reports:rules:sast
2019-12-04 20:38:33 +05:30
stage: test
2020-04-22 19:07:51 +05:30
# `needs: []` starts the job immediately in the pipeline
# https://docs.gitlab.com/ee/ci/yaml/README.html#needs
2020-04-08 14:13:33 +05:30
needs: []
2020-03-13 15:44:24 +05:30
artifacts:
paths:
- gl-sast-report.json # GitLab-specific
reports:
sast: gl-sast-report.json
expire_in: 1 week # GitLab-specific
2019-09-30 21:07:59 +05:30
variables:
2019-12-04 20:38:33 +05:30
DOCKER_TLS_CERTDIR: ""
2020-04-22 19:07:51 +05:30
SAST_ANALYZER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SAST_ANALYZER_IMAGE_TAG: 2
2020-03-13 15:44:24 +05:30
SAST_BRAKEMAN_LEVEL: 2 # GitLab-specific
2020-10-24 23:57:45 +05:30
SAST_EXCLUDED_PATHS: qa,spec,doc,ee/spec,config/gitlab.yml.example # GitLab-specific
2020-07-28 23:09:34 +05:30
SAST_DISABLE_BABEL: "true"
2019-12-04 20:38:33 +05:30
script:
2020-04-22 19:07:51 +05:30
- /analyzer run
brakeman-sast:
extends: .sast
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
eslint-sast:
extends: .sast
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
2020-07-28 23:09:34 +05:30
nodejs-scan-sast:
extends: .sast
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
2020-04-22 19:07:51 +05:30
secrets-sast:
extends: .sast
image:
2020-11-24 15:15:51 +05:30
name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:3"
artifacts:
paths:
- gl-secret-detection-report.json # GitLab-specific
reports:
sast: gl-secret-detection-report.json
expire_in: 1 week # GitLab-specific
2019-07-31 22:56:46 +05:30
2021-03-08 18:12:59 +05:30
# We need to duplicate this job's definition because the rules
# defined in the extended jobs rely on local YAML anchors
# (`*if-default-refs`)
.dependency_scanning:
2019-12-04 20:38:33 +05:30
extends:
- .default-retry
2020-03-13 15:44:24 +05:30
- .reports:rules:dependency_scanning
2019-12-04 20:38:33 +05:30
stage: test
2020-04-08 14:13:33 +05:30
needs: []
2019-12-04 20:38:33 +05:30
variables:
2020-06-23 00:09:42 +05:30
DS_MAJOR_VERSION: 2
2021-03-08 18:12:59 +05:30
DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec" # GitLab-specific
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
2019-12-04 20:38:33 +05:30
artifacts:
2020-03-13 15:44:24 +05:30
paths:
- gl-dependency-scanning-report.json # GitLab-specific
2019-12-04 20:38:33 +05:30
reports:
dependency_scanning: gl-dependency-scanning-report.json
2020-03-13 15:44:24 +05:30
expire_in: 1 week # GitLab-specific
2021-03-08 18:12:59 +05:30
script:
- /analyzer run
dependency_scanning gemnasium:
extends: .dependency_scanning
image:
name: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
before_script:
# git-lfs is needed for auto-remediation
- apk add git-lfs
after_script:
# Post-processing
- apk add jq
# Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390
- jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json
dependency_scanning bundler-audit:
extends: .dependency_scanning
image:
name: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
dependency_scanning retire-js:
extends: .dependency_scanning
image:
name: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
dependency_scanning gemnasium-python:
extends: .dependency_scanning
image:
name: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
2021-01-03 14:25:43 +05:30
2021-03-08 18:12:59 +05:30
# Analyze dependencies for malicious behavior
# See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
2021-01-29 00:20:46 +05:30
package_hunter:
extends:
- .reports:schedule-dast
stage: test
image:
name: registry.gitlab.com/gitlab-com/gl-security/security-research/package-hunter-cli:latest
entrypoint: [""]
needs: []
script:
- rm -r spec locale .git app/assets/images doc/
- cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/
- DEBUG=* HTR_user=$PACKAGE_HUNTER_USER HTR_pass=$PACKAGE_HUNTER_PASS node /usr/src/app/cli.js analyze --format gitlab gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json
artifacts:
paths:
- gl-dependency-scanning-report.json # GitLab-specific
reports:
dependency_scanning: gl-dependency-scanning-report.json
expire_in: 1 week # GitLab-specific
2021-01-03 14:25:43 +05:30
license_scanning:
extends:
- .default-retry
- .reports:rules:license_scanning
stage: test
image:
name: "registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3"
entrypoint: [""]
needs: []
script:
- /run.sh analyze .
artifacts:
reports:
license_scanning: gl-license-scanning-report.json
expire_in: 1 week # GitLab-specific
dependencies: []