218 lines
6.2 KiB
YAML
218 lines
6.2 KiB
YAML
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/
|
|
#
|
|
# Configure the scanning tool through the environment variables.
|
|
# List of the variables: https://gitlab.com/gitlab-org/security-products/sast#settings
|
|
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
|
|
|
|
variables:
|
|
# Setting this variable will affect all Security templates
|
|
# (SAST, Dependency Scanning, ...)
|
|
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
|
|
|
|
SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kubesec"
|
|
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
|
|
SAST_ANALYZER_IMAGE_TAG: 2
|
|
SAST_DISABLE_DIND: "true"
|
|
SCAN_KUBERNETES_MANIFESTS: "false"
|
|
|
|
sast:
|
|
stage: test
|
|
allow_failure: true
|
|
artifacts:
|
|
reports:
|
|
sast: gl-sast-report.json
|
|
rules:
|
|
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'true'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast\b/
|
|
image: docker:stable
|
|
variables:
|
|
SEARCH_MAX_DEPTH: 4
|
|
DOCKER_DRIVER: overlay2
|
|
DOCKER_TLS_CERTDIR: ""
|
|
services:
|
|
- docker:stable-dind
|
|
script:
|
|
- |
|
|
if ! docker info &>/dev/null; then
|
|
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
|
|
export DOCKER_HOST='tcp://localhost:2375'
|
|
fi
|
|
fi
|
|
- |
|
|
docker run \
|
|
$(awk 'BEGIN{for(v in ENVIRON) print v}' | grep -v -E '^(DOCKER_|CI|GITLAB_|FF_|HOME|PWD|OLDPWD|PATH|SHLVL|HOSTNAME)' | awk '{printf " -e %s", $0}') \
|
|
--volume "$PWD:/code" \
|
|
--volume /var/run/docker.sock:/var/run/docker.sock \
|
|
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_ANALYZER_IMAGE_TAG" /app/bin/run /code
|
|
|
|
.sast-analyzer:
|
|
extends: sast
|
|
services: []
|
|
rules:
|
|
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH
|
|
script:
|
|
- /analyzer run
|
|
|
|
bandit-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$SAST_DEFAULT_ANALYZERS =~ /bandit/
|
|
exists:
|
|
- '**/*.py'
|
|
|
|
brakeman-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$SAST_DEFAULT_ANALYZERS =~ /brakeman/
|
|
exists:
|
|
- 'config/routes.rb'
|
|
|
|
eslint-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$SAST_DEFAULT_ANALYZERS =~ /eslint/
|
|
exists:
|
|
- '**/*.html'
|
|
- '**/*.js'
|
|
- '**/*.jsx'
|
|
- '**/*.ts'
|
|
- '**/*.tsx'
|
|
|
|
flawfinder-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$SAST_DEFAULT_ANALYZERS =~ /flawfinder/
|
|
exists:
|
|
- '**/*.c'
|
|
- '**/*.cpp'
|
|
|
|
kubesec-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$SAST_DEFAULT_ANALYZERS =~ /kubesec/ &&
|
|
$SCAN_KUBERNETES_MANIFESTS == 'true'
|
|
|
|
gosec-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$SAST_DEFAULT_ANALYZERS =~ /gosec/
|
|
exists:
|
|
- '**/*.go'
|
|
|
|
nodejs-scan-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/
|
|
exists:
|
|
- 'package.json'
|
|
|
|
phpcs-security-audit-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/
|
|
exists:
|
|
- '**/*.php'
|
|
|
|
pmd-apex-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$SAST_DEFAULT_ANALYZERS =~ /pmd-apex/
|
|
exists:
|
|
- '**/*.cls'
|
|
|
|
secrets-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$SAST_DEFAULT_ANALYZERS =~ /secrets/
|
|
|
|
security-code-scan-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$SAST_DEFAULT_ANALYZERS =~ /security-code-scan/
|
|
exists:
|
|
- '**/*.csproj'
|
|
- '**/*.vbproj'
|
|
|
|
sobelow-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$SAST_DEFAULT_ANALYZERS =~ /sobelow/
|
|
exists:
|
|
- 'mix.exs'
|
|
|
|
spotbugs-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$SAST_DEFAULT_ANALYZERS =~ /spotbugs/
|
|
exists:
|
|
- '**/*.groovy'
|
|
- '**/*.java'
|
|
- '**/*.scala'
|