variables: # Setting this variable will affect all Security templates # (SAST, Dependency Scanning, ...) SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers" SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" iac-sast: stage: test artifacts: reports: sast: gl-sast-report.json rules: - when: never # `rules` must be overridden explicitly by each child job # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444 variables: SEARCH_MAX_DEPTH: 4 allow_failure: true script: - /analyzer run kics-iac-sast: extends: iac-sast image: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 0 SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never - if: $SAST_EXCLUDED_ANALYZERS =~ /kics/ when: never - if: $CI_COMMIT_BRANCH