2022-06-21 17:19:12 +05:30
|
|
|
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/
|
|
|
|
#
|
|
|
|
# Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
|
|
|
|
# List of available variables: https://docs.gitlab.com/ee/user/application_security/iac_scanning/index.html
|
|
|
|
|
2021-12-11 22:18:48 +05:30
|
|
|
variables:
|
|
|
|
# Setting this variable will affect all Security templates
|
|
|
|
# (SAST, Dependency Scanning, ...)
|
2022-08-27 11:52:29 +05:30
|
|
|
SECURE_ANALYZERS_PREFIX: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
|
2022-06-21 17:19:12 +05:30
|
|
|
SAST_IMAGE_SUFFIX: ""
|
|
|
|
|
2021-12-11 22:18:48 +05:30
|
|
|
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
|
|
|
|
|
|
|
|
iac-sast:
|
|
|
|
stage: test
|
|
|
|
artifacts:
|
|
|
|
reports:
|
|
|
|
sast: gl-sast-report.json
|
|
|
|
rules:
|
|
|
|
- when: never
|
|
|
|
# `rules` must be overridden explicitly by each child job
|
|
|
|
# see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
|
|
|
|
variables:
|
|
|
|
SEARCH_MAX_DEPTH: 4
|
|
|
|
allow_failure: true
|
|
|
|
script:
|
|
|
|
- /analyzer run
|
|
|
|
|
|
|
|
kics-iac-sast:
|
|
|
|
extends: iac-sast
|
|
|
|
image:
|
|
|
|
name: "$SAST_ANALYZER_IMAGE"
|
|
|
|
variables:
|
2022-08-27 11:52:29 +05:30
|
|
|
SAST_ANALYZER_IMAGE_TAG: 3
|
2022-06-21 17:19:12 +05:30
|
|
|
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
|
2021-12-11 22:18:48 +05:30
|
|
|
rules:
|
|
|
|
- if: $SAST_DISABLED
|
|
|
|
when: never
|
|
|
|
- if: $SAST_EXCLUDED_ANALYZERS =~ /kics/
|
|
|
|
when: never
|
2022-08-27 11:52:29 +05:30
|
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # Add the job to merge request pipelines if there's an open merge request.
|
|
|
|
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
|
|
|
|
when: never
|
|
|
|
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
|