debian-mirror-gitlab/.gitlab/ci/reports.gitlab-ci.yml

141 lines
4.1 KiB
YAML
Raw Normal View History

2021-06-08 01:23:25 +05:30
include:
- template: Jobs/Code-Quality.gitlab-ci.yml
2021-11-18 22:05:49 +05:30
- template: Jobs/SAST.gitlab-ci.yml
- template: Jobs/Secret-Detection.gitlab-ci.yml
2021-06-08 01:23:25 +05:30
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/License-Scanning.gitlab-ci.yml
2019-07-31 22:56:46 +05:30
code_quality:
2019-12-04 20:38:33 +05:30
extends:
- .default-retry
2020-04-22 19:07:51 +05:30
- .use-docker-in-docker
2019-12-04 20:38:33 +05:30
artifacts:
2020-01-01 13:55:28 +05:30
paths:
2020-03-13 15:44:24 +05:30
- gl-code-quality-report.json # GitLab-specific
2021-06-08 01:23:25 +05:30
rules: !reference [".reports:rules:code_quality", rules]
2021-11-18 22:05:49 +05:30
allow_failure: true
2019-07-31 22:56:46 +05:30
2021-06-08 01:23:25 +05:30
.sast-analyzer:
# We need to re-`extends` from `sast` as the `extends` here overrides the one from the template.
2019-12-04 20:38:33 +05:30
extends:
- .default-retry
2021-06-08 01:23:25 +05:30
- sast
2020-04-08 14:13:33 +05:30
needs: []
2020-03-13 15:44:24 +05:30
artifacts:
paths:
- gl-sast-report.json # GitLab-specific
expire_in: 1 week # GitLab-specific
2019-09-30 21:07:59 +05:30
variables:
2020-03-13 15:44:24 +05:30
SAST_BRAKEMAN_LEVEL: 2 # GitLab-specific
2021-06-08 01:23:25 +05:30
SAST_EXCLUDED_PATHS: "qa, spec, doc, ee/spec, config/gitlab.yml.example, tmp" # GitLab-specific
2021-11-18 22:05:49 +05:30
SAST_EXCLUDED_ANALYZERS: bandit, flawfinder, phpcs-security-audit, pmd-apex, security-code-scan, spotbugs, eslint, nodejs-scan
2020-04-22 19:07:51 +05:30
brakeman-sast:
2021-11-18 22:05:49 +05:30
rules: !reference [".reports:rules:brakeman-sast", rules]
2020-04-22 19:07:51 +05:30
2021-06-08 01:23:25 +05:30
semgrep-sast:
2021-11-18 22:05:49 +05:30
rules: !reference [".reports:rules:semgrep-sast", rules]
2021-10-27 15:23:28 +05:30
gosec-sast:
variables:
GOPATH: "$CI_PROJECT_DIR/vendor/go"
COMPILE: "false"
GOSEC_GO_PKG_PATH: "$CI_PROJECT_DIR"
SECURE_LOG_LEVEL: "debug"
before_script:
- mkdir -p $GOPATH
- cd workhorse
- go get -d ./...
- cd ..
cache:
paths:
- vendor/go
2021-11-18 22:05:49 +05:30
rules: !reference [".reports:rules:gosec-sast", rules]
2021-06-08 01:23:25 +05:30
.secret-analyzer:
extends: .default-retry
needs: []
2020-11-24 15:15:51 +05:30
artifacts:
paths:
- gl-secret-detection-report.json # GitLab-specific
expire_in: 1 week # GitLab-specific
2019-07-31 22:56:46 +05:30
2021-06-08 01:23:25 +05:30
secret_detection:
rules: !reference [".reports:rules:secret_detection", rules]
.ds-analyzer:
# We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template.
2019-12-04 20:38:33 +05:30
extends:
- .default-retry
2021-06-08 01:23:25 +05:30
- dependency_scanning
2020-04-08 14:13:33 +05:30
needs: []
2019-12-04 20:38:33 +05:30
variables:
2021-06-08 01:23:25 +05:30
DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp" # GitLab-specific
2021-11-18 22:05:49 +05:30
DS_EXCLUDED_ANALYZERS: "gemnasium-maven"
2019-12-04 20:38:33 +05:30
artifacts:
2020-03-13 15:44:24 +05:30
paths:
- gl-dependency-scanning-report.json # GitLab-specific
expire_in: 1 week # GitLab-specific
2021-03-08 18:12:59 +05:30
2021-06-08 01:23:25 +05:30
gemnasium-dependency_scanning:
2021-03-08 18:12:59 +05:30
before_script:
# git-lfs is needed for auto-remediation
- apk add git-lfs
2021-09-30 23:02:18 +05:30
rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules]
2021-03-08 18:12:59 +05:30
2021-06-08 01:23:25 +05:30
bundler-audit-dependency_scanning:
2021-09-30 23:02:18 +05:30
rules: !reference [".reports:rules:bundler-audit-dependency_scanning", rules]
2021-03-08 18:12:59 +05:30
2021-06-08 01:23:25 +05:30
retire-js-dependency_scanning:
2021-09-30 23:02:18 +05:30
rules: !reference [".reports:rules:retire-js-dependency_scanning", rules]
2021-03-08 18:12:59 +05:30
2021-06-08 01:23:25 +05:30
gemnasium-python-dependency_scanning:
2021-09-30 23:02:18 +05:30
rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules]
2021-01-03 14:25:43 +05:30
2021-03-08 18:12:59 +05:30
# Analyze dependencies for malicious behavior
# See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
2021-09-30 23:02:18 +05:30
.package_hunter-base:
2021-11-18 22:05:49 +05:30
extends: .default-retry
2021-01-29 00:20:46 +05:30
stage: test
image:
2021-09-30 23:02:18 +05:30
name: registry.gitlab.com/gitlab-com/gl-security/security-research/package-hunter-cli:1.1.0
2021-01-29 00:20:46 +05:30
entrypoint: [""]
2021-09-30 23:02:18 +05:30
variables:
DEBUG: '*'
HTR_user: '$PACKAGE_HUNTER_USER'
HTR_pass: '$PACKAGE_HUNTER_PASS'
2021-01-29 00:20:46 +05:30
needs: []
2021-06-08 01:23:25 +05:30
allow_failure: true
2021-09-30 23:02:18 +05:30
before_script:
2021-01-29 00:20:46 +05:30
- rm -r spec locale .git app/assets/images doc/
- cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/
2021-11-18 22:05:49 +05:30
script:
- node /usr/src/app/cli.js analyze --format gitlab --manager ${PACKAGE_MANAGER} gitlab.tgz | tee ${CI_PROJECT_DIR}/gl-dependency-scanning-report.json
2021-01-29 00:20:46 +05:30
artifacts:
paths:
2021-06-08 01:23:25 +05:30
- gl-dependency-scanning-report.json
2021-01-29 00:20:46 +05:30
reports:
dependency_scanning: gl-dependency-scanning-report.json
2021-06-08 01:23:25 +05:30
expire_in: 1 week
2021-01-29 00:20:46 +05:30
2021-09-30 23:02:18 +05:30
package_hunter-yarn:
extends:
- .package_hunter-base
- .reports:rules:package_hunter-yarn
2021-11-18 22:05:49 +05:30
variables:
PACKAGE_MANAGER: yarn
2021-09-30 23:02:18 +05:30
package_hunter-bundler:
extends:
- .package_hunter-base
- .reports:rules:package_hunter-bundler
2021-11-18 22:05:49 +05:30
variables:
PACKAGE_MANAGER: bundler
2021-09-30 23:02:18 +05:30
2021-01-03 14:25:43 +05:30
license_scanning:
2021-06-08 01:23:25 +05:30
extends: .default-retry
2021-01-03 14:25:43 +05:30
needs: []
artifacts:
expire_in: 1 week # GitLab-specific
2021-06-08 01:23:25 +05:30
rules: !reference [".reports:rules:license_scanning", rules]