debian-mirror-gitlab/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml

184 lines
5.9 KiB
YAML
Raw Normal View History

2022-04-04 11:22:00 +05:30
# To contribute improvements to CI/CD templates, please follow the Development guide at:
# https://docs.gitlab.com/ee/development/cicd/templates.html
# This specific template is located at:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/
#
# Configure dependency scanning with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
# List of available variables: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html#available-variables
variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
2022-08-27 11:52:29 +05:30
SECURE_ANALYZERS_PREFIX: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
2022-04-04 11:22:00 +05:30
DS_EXCLUDED_ANALYZERS: ""
DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
2022-07-16 23:28:13 +05:30
DS_MAJOR_VERSION: 3
2023-04-23 21:23:45 +05:30
DS_SCHEMA_MODEL: 15
2022-04-04 11:22:00 +05:30
dependency_scanning:
stage: test
script:
- echo "$CI_JOB_NAME is used for configuration only, and its script should not be executed"
- exit 1
artifacts:
reports:
dependency_scanning: gl-dependency-scanning-report.json
dependencies: []
rules:
- when: never
.ds-analyzer:
extends: dependency_scanning
allow_failure: true
2022-06-21 17:19:12 +05:30
variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/$DS_ANALYZER_NAME:$DS_MAJOR_VERSION"
# DS_ANALYZER_NAME is an undocumented variable used in job definitions
# to inject the analyzer name in the image name.
DS_ANALYZER_NAME: ""
image:
name: "$DS_ANALYZER_IMAGE$DS_IMAGE_SUFFIX"
2022-04-04 11:22:00 +05:30
# `rules` must be overridden explicitly by each child job
# see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
script:
- /analyzer run
2022-08-13 15:12:31 +05:30
.cyclonedx-reports:
2022-04-04 11:22:00 +05:30
artifacts:
paths:
2022-08-13 15:12:31 +05:30
- "**/gl-sbom-*.cdx.json"
2022-11-25 23:54:43 +05:30
reports:
cyclonedx: "**/gl-sbom-*.cdx.json"
2022-04-04 11:22:00 +05:30
2022-07-16 23:28:13 +05:30
.gemnasium-shared-rule:
exists:
2023-05-27 22:25:52 +05:30
- '**/Gemfile.lock'
- '**/composer.lock'
- '**/gems.locked'
- '**/go.sum'
- '**/npm-shrinkwrap.json'
- '**/package-lock.json'
- '**/yarn.lock'
- '**/packages.lock.json'
- '**/conan.lock'
2022-07-16 23:28:13 +05:30
2022-04-04 11:22:00 +05:30
gemnasium-dependency_scanning:
extends:
- .ds-analyzer
2022-08-13 15:12:31 +05:30
- .cyclonedx-reports
2022-04-04 11:22:00 +05:30
variables:
2022-06-21 17:19:12 +05:30
DS_ANALYZER_NAME: "gemnasium"
2022-04-04 11:22:00 +05:30
GEMNASIUM_LIBRARY_SCAN_ENABLED: "true"
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
2022-07-16 23:28:13 +05:30
$CI_GITLAB_FIPS_MODE == "true"
exists: !reference [.gemnasium-shared-rule, exists]
variables:
DS_IMAGE_SUFFIX: "-fips"
2022-08-13 15:12:31 +05:30
DS_REMEDIATE: "false"
2022-07-16 23:28:13 +05:30
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/
exists: !reference [.gemnasium-shared-rule, exists]
.gemnasium-maven-shared-rule:
exists:
2023-05-27 22:25:52 +05:30
- '**/build.gradle'
- '**/build.gradle.kts'
- '**/build.sbt'
- '**/pom.xml'
2022-04-04 11:22:00 +05:30
gemnasium-maven-dependency_scanning:
extends:
- .ds-analyzer
2022-08-13 15:12:31 +05:30
- .cyclonedx-reports
2022-04-04 11:22:00 +05:30
variables:
2022-06-21 17:19:12 +05:30
DS_ANALYZER_NAME: "gemnasium-maven"
2022-04-04 11:22:00 +05:30
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-maven/
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
2022-07-16 23:28:13 +05:30
$CI_GITLAB_FIPS_MODE == "true"
exists: !reference [.gemnasium-maven-shared-rule, exists]
variables:
DS_IMAGE_SUFFIX: "-fips"
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/
exists: !reference [.gemnasium-maven-shared-rule, exists]
.gemnasium-python-shared-rule:
exists:
2023-05-27 22:25:52 +05:30
- '**/requirements.txt'
- '**/requirements.pip'
- '**/Pipfile'
- '**/requires.txt'
- '**/setup.py'
- '**/poetry.lock'
2022-04-04 11:22:00 +05:30
gemnasium-python-dependency_scanning:
extends:
- .ds-analyzer
2022-08-13 15:12:31 +05:30
- .cyclonedx-reports
2022-04-04 11:22:00 +05:30
variables:
2022-06-21 17:19:12 +05:30
DS_ANALYZER_NAME: "gemnasium-python"
2022-04-04 11:22:00 +05:30
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
2022-07-16 23:28:13 +05:30
$CI_GITLAB_FIPS_MODE == "true"
exists: !reference [.gemnasium-python-shared-rule, exists]
variables:
DS_IMAGE_SUFFIX: "-fips"
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/
exists: !reference [.gemnasium-python-shared-rule, exists]
# Support passing of $PIP_REQUIREMENTS_FILE
# See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$PIP_REQUIREMENTS_FILE &&
$CI_GITLAB_FIPS_MODE == "true"
variables:
DS_IMAGE_SUFFIX: "-fips"
2022-04-04 11:22:00 +05:30
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$PIP_REQUIREMENTS_FILE
bundler-audit-dependency_scanning:
extends: .ds-analyzer
variables:
2022-06-21 17:19:12 +05:30
DS_ANALYZER_NAME: "bundler-audit"
2022-07-16 23:28:13 +05:30
DS_MAJOR_VERSION: 2
script:
- echo "This job was deprecated in GitLab 14.8 and removed in GitLab 15.0"
- echo "For more information see https://gitlab.com/gitlab-org/gitlab/-/issues/347491"
- exit 1
2022-04-04 11:22:00 +05:30
rules:
2022-07-16 23:28:13 +05:30
- when: never
2022-04-04 11:22:00 +05:30
retire-js-dependency_scanning:
extends: .ds-analyzer
variables:
2022-06-21 17:19:12 +05:30
DS_ANALYZER_NAME: "retire.js"
2022-07-16 23:28:13 +05:30
DS_MAJOR_VERSION: 2
script:
- echo "This job was deprecated in GitLab 14.8 and removed in GitLab 15.0"
- echo "For more information see https://gitlab.com/gitlab-org/gitlab/-/issues/289830"
- exit 1
2022-04-04 11:22:00 +05:30
rules:
2022-07-16 23:28:13 +05:30
- when: never