193 lines
4.9 KiB
YAML
193 lines
4.9 KiB
YAML
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/
|
|
#
|
|
# Configure the scanning tool through the environment variables.
|
|
# List of the variables: https://gitlab.com/gitlab-org/security-products/sast#settings
|
|
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
|
|
|
|
.sast:
|
|
stage: test
|
|
allow_failure: true
|
|
artifacts:
|
|
reports:
|
|
sast: gl-sast-report.json
|
|
only:
|
|
refs:
|
|
- branches
|
|
variables:
|
|
- $GITLAB_FEATURES =~ /\bsast\b/
|
|
|
|
variables:
|
|
SAST_ANALYZER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
|
|
SAST_DISABLE_DIND: "false"
|
|
|
|
sast:
|
|
extends: .sast
|
|
image: docker:stable
|
|
variables:
|
|
DOCKER_DRIVER: overlay2
|
|
DOCKER_TLS_CERTDIR: ""
|
|
services:
|
|
- docker:stable-dind
|
|
script:
|
|
- export SAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
|
|
- |
|
|
if ! docker info &>/dev/null; then
|
|
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
|
|
export DOCKER_HOST='tcp://localhost:2375'
|
|
fi
|
|
fi
|
|
- | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
|
|
function propagate_env_vars() {
|
|
CURRENT_ENV=$(printenv)
|
|
|
|
for VAR_NAME; do
|
|
echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
|
|
done
|
|
}
|
|
- |
|
|
docker run \
|
|
$(propagate_env_vars \
|
|
SAST_BANDIT_EXCLUDED_PATHS \
|
|
SAST_ANALYZER_IMAGES \
|
|
SAST_ANALYZER_IMAGE_PREFIX \
|
|
SAST_ANALYZER_IMAGE_TAG \
|
|
SAST_DEFAULT_ANALYZERS \
|
|
SAST_PULL_ANALYZER_IMAGES \
|
|
SAST_BRAKEMAN_LEVEL \
|
|
SAST_FLAWFINDER_LEVEL \
|
|
SAST_GITLEAKS_ENTROPY_LEVEL \
|
|
SAST_GOSEC_LEVEL \
|
|
SAST_EXCLUDED_PATHS \
|
|
SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
|
|
SAST_PULL_ANALYZER_IMAGE_TIMEOUT \
|
|
SAST_RUN_ANALYZER_TIMEOUT \
|
|
SAST_JAVA_VERSION \
|
|
ANT_HOME \
|
|
ANT_PATH \
|
|
GRADLE_PATH \
|
|
JAVA_OPTS \
|
|
JAVA_PATH \
|
|
JAVA_8_VERSION \
|
|
JAVA_11_VERSION \
|
|
MAVEN_CLI_OPTS \
|
|
MAVEN_PATH \
|
|
MAVEN_REPO_PATH \
|
|
SBT_PATH \
|
|
FAIL_NEVER \
|
|
) \
|
|
--volume "$PWD:/code" \
|
|
--volume /var/run/docker.sock:/var/run/docker.sock \
|
|
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code
|
|
except:
|
|
variables:
|
|
- $SAST_DISABLED
|
|
- $SAST_DISABLE_DIND == 'true'
|
|
|
|
.analyzer:
|
|
extends: .sast
|
|
except:
|
|
variables:
|
|
- $SAST_DISABLE_DIND == 'false'
|
|
script:
|
|
- /analyzer run
|
|
|
|
bandit-sast:
|
|
extends: .analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/bandit"
|
|
only:
|
|
variables:
|
|
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /python/'
|
|
|
|
brakeman-sast:
|
|
extends: .analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman"
|
|
only:
|
|
variables:
|
|
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /ruby/'
|
|
|
|
eslint-sast:
|
|
extends: .analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/eslint"
|
|
only:
|
|
variables:
|
|
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/'
|
|
|
|
flawfinder-sast:
|
|
extends: .analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/flawfinder"
|
|
only:
|
|
variables:
|
|
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(c\+\+|c\b)/'
|
|
|
|
gosec-sast:
|
|
extends: .analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/gosec"
|
|
only:
|
|
variables:
|
|
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /go/'
|
|
|
|
nodejs-scan-sast:
|
|
extends: .analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan"
|
|
only:
|
|
variables:
|
|
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/'
|
|
|
|
phpcs-security-audit-sast:
|
|
extends: .analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/phpcs-security-audit"
|
|
only:
|
|
variables:
|
|
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /php/'
|
|
|
|
pmd-apex-sast:
|
|
extends: .analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/pmd-apex"
|
|
only:
|
|
variables:
|
|
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /apex/'
|
|
|
|
secrets-sast:
|
|
extends: .analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets"
|
|
|
|
security-code-scan-sast:
|
|
extends: .analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/security-code-scan"
|
|
only:
|
|
variables:
|
|
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /c\#/ || $CI_PROJECT_REPOSITORY_LANGUAGES =~ /visual basic/'
|
|
|
|
sobelow-sast:
|
|
extends: .analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/sobelow"
|
|
only:
|
|
variables:
|
|
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /elixir/'
|
|
|
|
spotbugs-sast:
|
|
extends: .analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/spotbugs"
|
|
only:
|
|
variables:
|
|
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /java\b/'
|
|
|
|
tslint-sast:
|
|
extends: .analyzer
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/tslint"
|
|
only:
|
|
variables:
|
|
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /typescript/'
|