debian-mirror-gitlab/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

263 lines
7.3 KiB
YAML
Raw Normal View History

2021-09-30 23:02:18 +05:30
# To contribute improvements to CI/CD templates, please follow the Development guide at:
# https://docs.gitlab.com/ee/development/cicd/templates.html
# This specific template is located at:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml
2020-05-24 23:13:21 +05:30
# This template should be used when Security Products (https://about.gitlab.com/handbook/engineering/development/secure/#security-products)
# have to be downloaded and stored locally.
#
# Usage:
#
2021-09-30 23:02:18 +05:30
# include:
# - template: Secure-Binaries.gitlab-ci.yml
2020-05-24 23:13:21 +05:30
#
# Docs: https://docs.gitlab.com/ee/topics/airgap/
variables:
2022-05-07 20:08:51 +05:30
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
2022-08-27 11:52:29 +05:30
SECURE_ANALYZERS_PREFIX: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
2020-05-24 23:13:21 +05:30
SECURE_BINARIES_ANALYZERS: >-
2022-07-16 23:28:13 +05:30
bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kics, kubesec, semgrep, gemnasium, gemnasium-maven, gemnasium-python,
2020-05-24 23:13:21 +05:30
license-finder,
2022-07-23 23:45:48 +05:30
dast, dast-runner-validation, api-security
2020-05-24 23:13:21 +05:30
SECURE_BINARIES_DOWNLOAD_IMAGES: "true"
SECURE_BINARIES_PUSH_IMAGES: "true"
SECURE_BINARIES_SAVE_ARTIFACTS: "false"
SECURE_BINARIES_ANALYZER_VERSION: "2"
.download_images:
allow_failure: true
image: docker:stable
only:
refs:
- branches
variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
services:
- docker:stable-dind
script:
- docker info
- env
2022-05-07 20:08:51 +05:30
- if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"${SECURE_ANALYZERS_PREFIX}/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi
2020-07-28 23:09:34 +05:30
- docker pull --quiet ${SECURE_BINARIES_IMAGE}
2020-05-24 23:13:21 +05:30
- mkdir -p output/$(dirname ${CI_JOB_NAME})
- |
if [ "$SECURE_BINARIES_SAVE_ARTIFACTS" = "true" ]; then
docker save ${SECURE_BINARIES_IMAGE} | gzip > output/${CI_JOB_NAME}_${SECURE_BINARIES_ANALYZER_VERSION}.tar.gz
sha256sum output/${CI_JOB_NAME}_${SECURE_BINARIES_ANALYZER_VERSION}.tar.gz > output/${CI_JOB_NAME}_${SECURE_BINARIES_ANALYZER_VERSION}.tar.gz.sha256sum
fi
- |
if [ "$SECURE_BINARIES_PUSH_IMAGES" = "true" ]; then
docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
docker tag ${SECURE_BINARIES_IMAGE} ${CI_REGISTRY_IMAGE}/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}
docker push ${CI_REGISTRY_IMAGE}/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}
fi
artifacts:
paths:
- output/
#
# SAST jobs
#
bandit:
extends: .download_images
2022-07-16 23:28:13 +05:30
variables:
SECURE_BINARIES_ANALYZER_VERSION: "2"
2020-05-24 23:13:21 +05:30
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bbandit\b/
brakeman:
extends: .download_images
2022-07-16 23:28:13 +05:30
variables:
SECURE_BINARIES_ANALYZER_VERSION: "3"
2020-05-24 23:13:21 +05:30
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bbrakeman\b/
gosec:
extends: .download_images
2021-09-04 01:27:46 +05:30
variables:
SECURE_BINARIES_ANALYZER_VERSION: "3"
2020-05-24 23:13:21 +05:30
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bgosec\b/
spotbugs:
extends: .download_images
2022-07-16 23:28:13 +05:30
variables:
SECURE_BINARIES_ANALYZER_VERSION: "3"
2020-05-24 23:13:21 +05:30
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bspotbugs\b/
flawfinder:
extends: .download_images
2022-07-16 23:28:13 +05:30
variables:
SECURE_BINARIES_ANALYZER_VERSION: "3"
2020-05-24 23:13:21 +05:30
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bflawfinder\b/
phpcs-security-audit:
extends: .download_images
2022-07-16 23:28:13 +05:30
variables:
SECURE_BINARIES_ANALYZER_VERSION: "3"
2020-05-24 23:13:21 +05:30
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bphpcs-security-audit\b/
security-code-scan:
extends: .download_images
2022-04-04 11:22:00 +05:30
variables:
SECURE_BINARIES_ANALYZER_VERSION: "3"
2020-05-24 23:13:21 +05:30
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bsecurity-code-scan\b/
nodejs-scan:
extends: .download_images
2022-07-16 23:28:13 +05:30
variables:
SECURE_BINARIES_ANALYZER_VERSION: "3"
2020-05-24 23:13:21 +05:30
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bnodejs-scan\b/
eslint:
extends: .download_images
2022-07-16 23:28:13 +05:30
variables:
SECURE_BINARIES_ANALYZER_VERSION: "2"
2020-05-24 23:13:21 +05:30
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\beslint\b/
secrets:
extends: .download_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bsecrets\b/
2021-01-29 00:20:46 +05:30
variables:
2022-07-16 23:28:13 +05:30
SECURE_BINARIES_ANALYZER_VERSION: "4"
2020-05-24 23:13:21 +05:30
2021-06-08 01:23:25 +05:30
semgrep:
extends: .download_images
2022-07-16 23:28:13 +05:30
variables:
SECURE_BINARIES_ANALYZER_VERSION: "3"
2021-06-08 01:23:25 +05:30
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bsemgrep\b/
2020-05-24 23:13:21 +05:30
sobelow:
extends: .download_images
2022-07-16 23:28:13 +05:30
variables:
SECURE_BINARIES_ANALYZER_VERSION: "3"
2020-05-24 23:13:21 +05:30
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bsobelow\b/
pmd-apex:
extends: .download_images
2022-07-16 23:28:13 +05:30
variables:
SECURE_BINARIES_ANALYZER_VERSION: "3"
2020-05-24 23:13:21 +05:30
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bsecrets\b/
kubesec:
extends: .download_images
2022-07-16 23:28:13 +05:30
variables:
SECURE_BINARIES_ANALYZER_VERSION: "3"
2020-05-24 23:13:21 +05:30
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bkubesec\b/
#
# Dependency Scanning jobs
#
gemnasium:
extends: .download_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bgemnasium\b/
gemnasium-maven:
extends: .download_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bgemnasium-maven\b/
gemnasium-python:
extends: .download_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bgemnasium-python\b/
#
# License Scanning
#
license-finder:
extends: .download_images
variables:
SECURE_BINARIES_ANALYZER_VERSION: "3"
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\blicense-finder\b/
#
# DAST
#
dast:
extends: .download_images
variables:
2021-09-30 23:02:18 +05:30
SECURE_BINARIES_ANALYZER_VERSION: "2"
2020-05-24 23:13:21 +05:30
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bdast\b/
2021-06-08 01:23:25 +05:30
2021-10-27 15:23:28 +05:30
dast-runner-validation:
extends: .download_images
variables:
SECURE_BINARIES_ANALYZER_VERSION: "1"
2022-08-27 11:52:29 +05:30
SECURE_BINARIES_IMAGE: "${CI_TEMPLATE_REGISTRY_HOST}/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
2021-10-27 15:23:28 +05:30
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bdast-runner-validation\b/
2022-07-23 23:45:48 +05:30
api-security:
2021-06-08 01:23:25 +05:30
extends: .download_images
variables:
2022-07-23 23:45:48 +05:30
SECURE_BINARIES_ANALYZER_VERSION: "2"
2021-06-08 01:23:25 +05:30
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
2022-07-23 23:45:48 +05:30
$SECURE_BINARIES_ANALYZERS =~ /\bapi-security\b/