365 lines
12 KiB
YAML
365 lines
12 KiB
YAML
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/
|
|
#
|
|
# Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
|
|
# List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-variables
|
|
|
|
variables:
|
|
# Setting this variable will affect all Security templates
|
|
# (SAST, Dependency Scanning, ...)
|
|
SECURE_ANALYZERS_PREFIX: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
|
|
SAST_IMAGE_SUFFIX: ""
|
|
|
|
SAST_EXCLUDED_ANALYZERS: ""
|
|
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
|
|
SCAN_KUBERNETES_MANIFESTS: "false"
|
|
|
|
sast:
|
|
stage: test
|
|
artifacts:
|
|
reports:
|
|
sast: gl-sast-report.json
|
|
rules:
|
|
- when: never
|
|
variables:
|
|
SEARCH_MAX_DEPTH: 4
|
|
script:
|
|
- echo "$CI_JOB_NAME is used for configuration only, and its script should not be executed"
|
|
- exit 1
|
|
|
|
.sast-analyzer:
|
|
extends: sast
|
|
allow_failure: true
|
|
# `rules` must be overridden explicitly by each child job
|
|
# see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
|
|
script:
|
|
- /analyzer run
|
|
|
|
bandit-sast:
|
|
extends: .sast-analyzer
|
|
script:
|
|
- echo "This job was deprecated in GitLab 14.8 and removed in GitLab 15.3"
|
|
- echo "For more information see https://gitlab.com/gitlab-org/gitlab/-/issues/352554"
|
|
- exit 1
|
|
rules:
|
|
- when: never
|
|
|
|
brakeman-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE"
|
|
variables:
|
|
SAST_ANALYZER_IMAGE_TAG: 3
|
|
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED
|
|
when: never
|
|
- if: $SAST_EXCLUDED_ANALYZERS =~ /brakeman/
|
|
when: never
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # Add the job to merge request pipelines if there's an open merge request.
|
|
exists:
|
|
- '**/*.rb'
|
|
- '**/Gemfile'
|
|
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
|
|
exists:
|
|
- '**/*.rb'
|
|
- '**/Gemfile'
|
|
|
|
eslint-sast:
|
|
extends: .sast-analyzer
|
|
script:
|
|
- echo "This job was deprecated in GitLab 14.8 and removed in GitLab 15.3"
|
|
- echo "For more information see https://gitlab.com/gitlab-org/gitlab/-/issues/352554"
|
|
- exit 1
|
|
rules:
|
|
- when: never
|
|
|
|
flawfinder-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE"
|
|
variables:
|
|
SAST_ANALYZER_IMAGE_TAG: 3
|
|
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED
|
|
when: never
|
|
- if: $SAST_EXCLUDED_ANALYZERS =~ /flawfinder/
|
|
when: never
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # Add the job to merge request pipelines if there's an open merge request.
|
|
exists:
|
|
- '**/*.c'
|
|
- '**/*.cc'
|
|
- '**/*.cpp'
|
|
- '**/*.c++'
|
|
- '**/*.cp'
|
|
- '**/*.cxx'
|
|
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
|
|
exists:
|
|
- '**/*.c'
|
|
- '**/*.cc'
|
|
- '**/*.cpp'
|
|
- '**/*.c++'
|
|
- '**/*.cp'
|
|
- '**/*.cxx'
|
|
|
|
gosec-sast:
|
|
extends: .sast-analyzer
|
|
script:
|
|
- echo "This job was deprecated in GitLab 15.0 and removed in GitLab 15.2"
|
|
- echo "For more information see https://gitlab.com/gitlab-org/gitlab/-/issues/352554"
|
|
- exit 1
|
|
rules:
|
|
- when: never
|
|
|
|
kubesec-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE"
|
|
variables:
|
|
SAST_ANALYZER_IMAGE_TAG: 3
|
|
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED
|
|
when: never
|
|
- if: $SAST_EXCLUDED_ANALYZERS =~ /kubesec/
|
|
when: never
|
|
# Add the job to merge request pipelines if there's an open merge request.
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
|
|
$SCAN_KUBERNETES_MANIFESTS == 'true'
|
|
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
|
|
when: never
|
|
# If there's no open merge request, add it to a *branch* pipeline instead.
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$SCAN_KUBERNETES_MANIFESTS == 'true'
|
|
|
|
.mobsf-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE"
|
|
variables:
|
|
SAST_ANALYZER_IMAGE_TAG: 3
|
|
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG"
|
|
|
|
mobsf-android-sast:
|
|
extends: .mobsf-sast
|
|
rules:
|
|
- if: $SAST_DISABLED
|
|
when: never
|
|
- if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/
|
|
when: never
|
|
# Add the job to merge request pipelines if there's an open merge request.
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
|
|
$SAST_EXPERIMENTAL_FEATURES == 'true'
|
|
exists:
|
|
- '**/*.apk'
|
|
- '**/AndroidManifest.xml'
|
|
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
|
|
when: never
|
|
# If there's no open merge request, add it to a *branch* pipeline instead.
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$SAST_EXPERIMENTAL_FEATURES == 'true'
|
|
exists:
|
|
- '**/*.apk'
|
|
- '**/AndroidManifest.xml'
|
|
|
|
mobsf-ios-sast:
|
|
extends: .mobsf-sast
|
|
rules:
|
|
- if: $SAST_DISABLED
|
|
when: never
|
|
- if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/
|
|
when: never
|
|
# Add the job to merge request pipelines if there's an open merge request.
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
|
|
$SAST_EXPERIMENTAL_FEATURES == 'true'
|
|
exists:
|
|
- '**/*.ipa'
|
|
- '**/*.xcodeproj/*'
|
|
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
|
|
when: never
|
|
# If there's no open merge request, add it to a *branch* pipeline instead.
|
|
- if: $CI_COMMIT_BRANCH &&
|
|
$SAST_EXPERIMENTAL_FEATURES == 'true'
|
|
exists:
|
|
- '**/*.ipa'
|
|
- '**/*.xcodeproj/*'
|
|
|
|
nodejs-scan-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE"
|
|
variables:
|
|
SAST_ANALYZER_IMAGE_TAG: 3
|
|
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED
|
|
when: never
|
|
- if: $SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/
|
|
when: never
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # Add the job to merge request pipelines if there's an open merge request.
|
|
exists:
|
|
- '**/package.json'
|
|
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
|
|
exists:
|
|
- '**/package.json'
|
|
|
|
phpcs-security-audit-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE"
|
|
variables:
|
|
SAST_ANALYZER_IMAGE_TAG: 3
|
|
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED
|
|
when: never
|
|
- if: $SAST_EXCLUDED_ANALYZERS =~ /phpcs-security-audit/
|
|
when: never
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # Add the job to merge request pipelines if there's an open merge request.
|
|
exists:
|
|
- '**/*.php'
|
|
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
|
|
exists:
|
|
- '**/*.php'
|
|
|
|
pmd-apex-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE"
|
|
variables:
|
|
SAST_ANALYZER_IMAGE_TAG: 3
|
|
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED
|
|
when: never
|
|
- if: $SAST_EXCLUDED_ANALYZERS =~ /pmd-apex/
|
|
when: never
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # Add the job to merge request pipelines if there's an open merge request.
|
|
exists:
|
|
- '**/*.cls'
|
|
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
|
|
exists:
|
|
- '**/*.cls'
|
|
|
|
security-code-scan-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE"
|
|
variables:
|
|
SAST_ANALYZER_IMAGE_TAG: 3
|
|
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED
|
|
when: never
|
|
- if: $SAST_EXCLUDED_ANALYZERS =~ /security-code-scan/
|
|
when: never
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # Add the job to merge request pipelines if there's an open merge request.
|
|
exists:
|
|
- '**/*.csproj'
|
|
- '**/*.vbproj'
|
|
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
|
|
exists:
|
|
- '**/*.csproj'
|
|
- '**/*.vbproj'
|
|
|
|
semgrep-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE"
|
|
variables:
|
|
SEARCH_MAX_DEPTH: 20
|
|
SAST_ANALYZER_IMAGE_TAG: 3
|
|
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
|
|
rules:
|
|
- if: $SAST_DISABLED
|
|
when: never
|
|
- if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/
|
|
when: never
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # Add the job to merge request pipelines if there's an open merge request.
|
|
exists:
|
|
- '**/*.py'
|
|
- '**/*.js'
|
|
- '**/*.jsx'
|
|
- '**/*.ts'
|
|
- '**/*.tsx'
|
|
- '**/*.c'
|
|
- '**/*.go'
|
|
- '**/*.java'
|
|
- '**/*.html'
|
|
- '**/*.cs'
|
|
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
|
|
exists:
|
|
- '**/*.py'
|
|
- '**/*.js'
|
|
- '**/*.jsx'
|
|
- '**/*.ts'
|
|
- '**/*.tsx'
|
|
- '**/*.c'
|
|
- '**/*.go'
|
|
- '**/*.java'
|
|
- '**/*.html'
|
|
- '**/*.cs'
|
|
|
|
sobelow-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE"
|
|
variables:
|
|
SAST_ANALYZER_IMAGE_TAG: 3
|
|
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_DISABLED
|
|
when: never
|
|
- if: $SAST_EXCLUDED_ANALYZERS =~ /sobelow/
|
|
when: never
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # Add the job to merge request pipelines if there's an open merge request.
|
|
exists:
|
|
- 'mix.exs'
|
|
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
|
|
exists:
|
|
- 'mix.exs'
|
|
|
|
spotbugs-sast:
|
|
extends: .sast-analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE"
|
|
variables:
|
|
SAST_ANALYZER_IMAGE_TAG: 3
|
|
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
|
|
rules:
|
|
- if: $SAST_EXCLUDED_ANALYZERS =~ /spotbugs/
|
|
when: never
|
|
- if: $SAST_EXPERIMENTAL_FEATURES == 'true'
|
|
exists:
|
|
- '**/AndroidManifest.xml'
|
|
when: never
|
|
- if: $SAST_DISABLED
|
|
when: never
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # Add the job to merge request pipelines if there's an open merge request.
|
|
exists:
|
|
- '**/*.groovy'
|
|
- '**/*.scala'
|
|
- '**/*.kt'
|
|
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH # If there's no open merge request, add it to a *branch* pipeline instead.
|
|
exists:
|
|
- '**/*.groovy'
|
|
- '**/*.scala'
|
|
- '**/*.kt'
|