Commit 347e530c authored by Sean McGivern's avatar Sean McGivern

Merge branch '11137-propagate-all-env-vars-to-sast-containers' into 'master'

Make SAST compatible with private dependencies via ENV propagation

See merge request gitlab-org/gitlab!18193
parents 462f7942 42bb0907
---
title: Propagate custom environment variables to SAST analyzers
merge_request: 18193
author:
type: changed
...@@ -146,7 +146,15 @@ sast: ...@@ -146,7 +146,15 @@ sast:
CI_DEBUG_TRACE: "true" CI_DEBUG_TRACE: "true"
``` ```
### Using a variable to pass username and password to a private Maven repository ### Using environment variables to pass credentials for private repositories
Some analyzers require downloading the project's dependencies in order to
perform the analysis. In turn, such dependencies may live in private Git
repositories and thus require credentials like username and password to download them.
Depending on the analyzer, such credentials can be provided to
it via [custom environment variables](#custom-environment-variables).
#### Using a variable to pass username and password to a private Maven repository
If you have a private Apache Maven repository that requires login credentials, If you have a private Apache Maven repository that requires login credentials,
you can use the `MAVEN_CLI_OPTS` [environment variable](#available-variables) you can use the `MAVEN_CLI_OPTS` [environment variable](#available-variables)
...@@ -234,6 +242,19 @@ Some analyzers can be customized with environment variables. ...@@ -234,6 +242,19 @@ Some analyzers can be customized with environment variables.
| `SBT_PATH` | spotbugs | Path to the `sbt` executable. | | `SBT_PATH` | spotbugs | Path to the `sbt` executable. |
| `FAIL_NEVER` | spotbugs | Set to `1` to ignore compilation failure. | | `FAIL_NEVER` | spotbugs | Set to `1` to ignore compilation failure. |
#### Custom environment variables
> [Introduced](https://gitlab.com/gitlab-org/gitlab/merge_requests/18193) in GitLab Ultimate 12.5.
In addition to the aforementioned SAST configuration variables,
all [custom environment variables](../../../ci/variables/README.md#creating-a-custom-environment-variable) are propagated
to the underlying SAST analyzer images if
[the SAST vendored template](#configuration) is used.
CAUTION: **Caution:**
Variables having names starting with these prefixes will **not** be propagated to the SAST Docker container and/or
analyzer containers: `DOCKER_`, `CI`, `GITLAB_`, `FF_`, `HOME`, `PWD`, `OLDPWD`, `PATH`, `SHLVL`, `HOSTNAME`.
## Reports JSON format ## Reports JSON format
CAUTION: **Caution:** CAUTION: **Caution:**
......
...@@ -35,45 +35,12 @@ sast: ...@@ -35,45 +35,12 @@ sast:
export DOCKER_HOST='tcp://localhost:2375' export DOCKER_HOST='tcp://localhost:2375'
fi fi
fi fi
- | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage - |
function propagate_env_vars() { printenv | grep -E '^(DOCKER_|CI|GITLAB_|FF_|HOME|PWD|OLDPWD|PATH|SHLVL|HOSTNAME)' | cut -d'=' -f1 | \
CURRENT_ENV=$(printenv) (while IFS='\\n' read -r VAR; do unset -v "$VAR"; done; /bin/printenv > .env)
for VAR_NAME; do
echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
done
}
- | - |
docker run \ docker run \
$(propagate_env_vars \ --env-file .env \
SAST_BANDIT_EXCLUDED_PATHS \
SAST_ANALYZER_IMAGES \
SAST_ANALYZER_IMAGE_PREFIX \
SAST_ANALYZER_IMAGE_TAG \
SAST_DEFAULT_ANALYZERS \
SAST_PULL_ANALYZER_IMAGES \
SAST_BRAKEMAN_LEVEL \
SAST_FLAWFINDER_LEVEL \
SAST_GITLEAKS_ENTROPY_LEVEL \
SAST_GOSEC_LEVEL \
SAST_EXCLUDED_PATHS \
SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
SAST_PULL_ANALYZER_IMAGE_TIMEOUT \
SAST_RUN_ANALYZER_TIMEOUT \
SAST_JAVA_VERSION \
ANT_HOME \
ANT_PATH \
GRADLE_PATH \
JAVA_OPTS \
JAVA_PATH \
JAVA_8_VERSION \
JAVA_11_VERSION \
MAVEN_CLI_OPTS \
MAVEN_PATH \
MAVEN_REPO_PATH \
SBT_PATH \
FAIL_NEVER \
) \
--volume "$PWD:/code" \ --volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \ --volume /var/run/docker.sock:/var/run/docker.sock \
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment