Clean-up secure jobs config

48698a62 · Philippe Lafoucrière · 1e6a860a · 48698a62
Commit 48698a62 authored Oct 13, 2021 by Philippe Lafoucrière
Show whitespace changes
Inline Side-by-side

Showing with 1 addition and 14 deletions

.gitlab/ci/reports.gitlab-ci.yml .gitlab/ci/reports.gitlab-ci.yml +1 -14

No files found.
--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
@@ -32,11 +32,9 @@ code_quality:

 brakeman-sast:
  rules: !reference [".reports:rules:brakeman-sast", rules]
-  allow_failure: true

 semgrep-sast:
  rules: !reference [".reports:rules:semgrep-sast", rules]
-  allow_failure: true

 gosec-sast:
  variables:
@@ -53,7 +51,6 @@ gosec-sast:
    paths:
      - vendor/go
  rules: !reference [".reports:rules:gosec-sast", rules]
-  allow_failure: true

 .secret-analyzer:
  extends: .default-retry
@@ -65,7 +62,6 @@ gosec-sast:

 secret_detection:
  rules: !reference [".reports:rules:secret_detection", rules]
-  allow_failure: true

 .ds-analyzer:
  # We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template.
@@ -75,6 +71,7 @@ secret_detection:
  needs: []
  variables:
    DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp"  # GitLab-specific
+    DS_EXCLUDED_ANALYZERS: "gemnasium-maven"
  artifacts:
    paths:
      - gl-dependency-scanning-report.json  # GitLab-specific
@@ -84,25 +81,16 @@ gemnasium-dependency_scanning:
  before_script:
    # git-lfs is needed for auto-remediation
    - apk add git-lfs
-  after_script:
-    # Post-processing
-    - apk add jq
-    # Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390
-    - jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json
  rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules]
-  allow_failure: true

 bundler-audit-dependency_scanning:
  rules: !reference [".reports:rules:bundler-audit-dependency_scanning", rules]
-  allow_failure: true

 retire-js-dependency_scanning:
  rules: !reference [".reports:rules:retire-js-dependency_scanning", rules]
-  allow_failure: true

 gemnasium-python-dependency_scanning:
  rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules]
-  allow_failure: true

 # Analyze dependencies for malicious behavior
 # See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
@@ -150,4 +138,3 @@ license_scanning:
  artifacts:
    expire_in: 1 week  # GitLab-specific
  rules: !reference [".reports:rules:license_scanning", rules]
-  allow_failure: true