35 lines
912 B
YAML
35 lines
912 B
YAML
|
variables:
|
||
|
# Setting this variable will affect all Security templates
|
||
|
# (SAST, Dependency Scanning, ...)
|
||
|
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
|
||
|
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
|
||
|
|
||
|
iac-sast:
|
||
|
stage: test
|
||
|
artifacts:
|
||
|
reports:
|
||
|
sast: gl-sast-report.json
|
||
|
rules:
|
||
|
- when: never
|
||
|
# `rules` must be overridden explicitly by each child job
|
||
|
# see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
|
||
|
variables:
|
||
|
SEARCH_MAX_DEPTH: 4
|
||
|
allow_failure: true
|
||
|
script:
|
||
|
- /analyzer run
|
||
|
|
||
|
kics-iac-sast:
|
||
|
extends: iac-sast
|
||
|
image:
|
||
|
name: "$SAST_ANALYZER_IMAGE"
|
||
|
variables:
|
||
|
SAST_ANALYZER_IMAGE_TAG: 0
|
||
|
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG"
|
||
|
rules:
|
||
|
- if: $SAST_DISABLED
|
||
|
when: never
|
||
|
- if: $SAST_EXCLUDED_ANALYZERS =~ /kics/
|
||
|
when: never
|
||
|
- if: $CI_COMMIT_BRANCH
|