debian-mirror-gitlab/.gitlab/ci/reports.gitlab-ci.yml

189 lines
6.1 KiB
YAML
Raw Normal View History

2019-12-04 20:38:33 +05:30
# include:
2020-03-13 15:44:24 +05:30
# - template: Jobs/Code-Quality.gitlab-ci.yml
2019-12-04 20:38:33 +05:30
# - template: Security/SAST.gitlab-ci.yml
# - template: Security/Dependency-Scanning.gitlab-ci.yml
# - template: Security/DAST.gitlab-ci.yml
2019-07-31 22:56:46 +05:30
2019-12-04 20:38:33 +05:30
# We need to duplicate this job's definition because it seems it's impossible to
# override an included `only.refs`.
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
2019-07-31 22:56:46 +05:30
code_quality:
2019-12-04 20:38:33 +05:30
extends:
- .default-retry
2020-03-13 15:44:24 +05:30
- .reports:rules:code_quality
2020-04-22 19:07:51 +05:30
- .use-docker-in-docker
2019-12-04 20:38:33 +05:30
stage: test
2020-04-08 14:13:33 +05:30
needs: []
2019-12-04 20:38:33 +05:30
variables:
2020-04-08 14:13:33 +05:30
CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/ci-cd/codequality:0.85.9"
2019-12-04 20:38:33 +05:30
script:
- |
if ! docker info &>/dev/null; then
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
export DOCKER_HOST='tcp://localhost:2375'
fi
fi
2020-01-01 13:55:28 +05:30
- docker pull --quiet "$CODE_QUALITY_IMAGE"
2019-12-04 20:38:33 +05:30
- docker run
--env SOURCE_CODE="$PWD"
--volume "$PWD":/code
--volume /var/run/docker.sock:/var/run/docker.sock
2020-01-01 13:55:28 +05:30
"$CODE_QUALITY_IMAGE" /code
2019-12-04 20:38:33 +05:30
artifacts:
reports:
codequality: gl-code-quality-report.json
2020-01-01 13:55:28 +05:30
paths:
2020-03-13 15:44:24 +05:30
- gl-code-quality-report.json # GitLab-specific
expire_in: 1 week # GitLab-specific
2019-07-31 22:56:46 +05:30
2019-12-04 20:38:33 +05:30
# We need to duplicate this job's definition because it seems it's impossible to
# override an included `only.refs`.
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
2020-04-22 19:07:51 +05:30
.sast:
2019-12-04 20:38:33 +05:30
extends:
- .default-retry
2020-03-13 15:44:24 +05:30
- .reports:rules:sast
2019-12-04 20:38:33 +05:30
stage: test
2020-04-22 19:07:51 +05:30
# `needs: []` starts the job immediately in the pipeline
# https://docs.gitlab.com/ee/ci/yaml/README.html#needs
2020-04-08 14:13:33 +05:30
needs: []
2020-03-13 15:44:24 +05:30
artifacts:
paths:
- gl-sast-report.json # GitLab-specific
reports:
sast: gl-sast-report.json
expire_in: 1 week # GitLab-specific
2019-09-30 21:07:59 +05:30
variables:
2019-12-04 20:38:33 +05:30
DOCKER_TLS_CERTDIR: ""
2020-04-22 19:07:51 +05:30
SAST_ANALYZER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SAST_ANALYZER_IMAGE_TAG: 2
2020-03-13 15:44:24 +05:30
SAST_BRAKEMAN_LEVEL: 2 # GitLab-specific
SAST_EXCLUDED_PATHS: qa,spec,doc,ee/spec # GitLab-specific
2019-12-04 20:38:33 +05:30
script:
2020-04-22 19:07:51 +05:30
- /analyzer run
brakeman-sast:
extends: .sast
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
eslint-sast:
extends: .sast
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
2020-05-24 23:13:21 +05:30
# Temporary disabled as it's constantly failing. See https://gitlab.com/gitlab-org/gitlab/-/issues/213769.
# nodejs-scan-sast:
# extends: .sast
# image:
# name: "$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
2020-04-22 19:07:51 +05:30
secrets-sast:
extends: .sast
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG"
2019-07-31 22:56:46 +05:30
2019-12-04 20:38:33 +05:30
# We need to duplicate this job's definition because it seems it's impossible to
# override an included `only.refs`.
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
2019-07-31 22:56:46 +05:30
dependency_scanning:
2019-12-04 20:38:33 +05:30
extends:
- .default-retry
2020-03-13 15:44:24 +05:30
- .reports:rules:dependency_scanning
2020-04-22 19:07:51 +05:30
- .use-docker-in-docker
2019-12-04 20:38:33 +05:30
stage: test
2020-04-08 14:13:33 +05:30
needs: []
2019-12-04 20:38:33 +05:30
variables:
2020-06-23 00:09:42 +05:30
DS_MAJOR_VERSION: 2
2020-03-13 15:44:24 +05:30
DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports,spec,ee/spec" # GitLab-specific
2019-12-04 20:38:33 +05:30
script:
- |
if ! docker info &>/dev/null; then
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
export DOCKER_HOST='tcp://localhost:2375'
fi
fi
- | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
function propagate_env_vars() {
CURRENT_ENV=$(printenv)
for VAR_NAME; do
echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
done
}
- |
docker run \
$(propagate_env_vars \
DS_ANALYZER_IMAGES \
DS_ANALYZER_IMAGE_PREFIX \
DS_ANALYZER_IMAGE_TAG \
DS_DEFAULT_ANALYZERS \
DS_EXCLUDED_PATHS \
DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
DS_PULL_ANALYZER_IMAGE_TIMEOUT \
DS_RUN_ANALYZER_TIMEOUT \
DS_PYTHON_VERSION \
2020-03-13 15:44:24 +05:30
DS_PIP_VERSION \
2019-12-04 20:38:33 +05:30
DS_PIP_DEPENDENCY_PATH \
2020-03-13 15:44:24 +05:30
GEMNASIUM_DB_LOCAL_PATH \
GEMNASIUM_DB_REMOTE_URL \
GEMNASIUM_DB_REF_NAME \
2019-12-04 20:38:33 +05:30
PIP_INDEX_URL \
PIP_EXTRA_INDEX_URL \
2020-03-13 15:44:24 +05:30
PIP_REQUIREMENTS_FILE \
MAVEN_CLI_OPTS \
BUNDLER_AUDIT_UPDATE_DISABLED \
BUNDLER_AUDIT_ADVISORY_DB_URL \
BUNDLER_AUDIT_ADVISORY_DB_REF_NAME \
2019-12-04 20:38:33 +05:30
) \
--volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \
2020-06-23 00:09:42 +05:30
"registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_MAJOR_VERSION" /code
2019-12-04 20:38:33 +05:30
artifacts:
2020-03-13 15:44:24 +05:30
paths:
- gl-dependency-scanning-report.json # GitLab-specific
2019-12-04 20:38:33 +05:30
reports:
dependency_scanning: gl-dependency-scanning-report.json
2020-03-13 15:44:24 +05:30
expire_in: 1 week # GitLab-specific
2019-12-04 20:38:33 +05:30
2020-06-23 00:09:42 +05:30
# Temporarily disabling review apps
## We need to duplicate this job's definition because it seems it's impossible to
## override an included `only.refs`.
## See https://gitlab.com/gitlab-org/gitlab/issues/31371.
#dast:
# extends:
# - .default-retry
# - .reports:rules:dast
# # This is needed so that manual jobs with needs don't block the pipeline.
# # See https://gitlab.com/gitlab-org/gitlab/-/issues/199979.
# dependencies: ["review-deploy"]
# stage: qa # GitLab-specific
# image:
# name: "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION"
# variables:
# # To be done in a later iteration
# # DAST_USERNAME: "root"
# # DAST_USERNAME_FIELD: "user[login]"
# # DAST_PASSWORD_FIELD: "user[passowrd]"
# DAST_VERSION: 1
# script:
# - 'export DAST_WEBSITE="${DAST_WEBSITE:-$(cat environment_url.txt)}"'
# # To be done in a later iteration
# # - 'export DAST_AUTH_URL="${DAST_WEBSITE}/users/sign_in"'
# # - 'export DAST_PASSWORD="${REVIEW_APPS_ROOT_PASSWORD}"'
# - /analyze -t $DAST_WEBSITE
# artifacts:
# paths:
# - gl-dast-report.json # GitLab-specific
# reports:
# dast: gl-dast-report.json
# expire_in: 1 week # GitLab-specific
2020-03-13 15:44:24 +05:30
# To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
# schedule:dast:
# extends:
# - dast
# - .reports:schedule-dast
# variables:
# DAST_FULL_SCAN_ENABLED: "true"