Merge branch 'add-kubesc-to-sast-template' into 'master'

Update SAST template to support kubesec analyzer See merge request gitlab-org/gitlab!20129

Merge branch 'add-kubesc-to-sast-template' into 'master'
Update SAST template to support kubesec analyzer See merge request gitlab-org/gitlab!20129
600a1a63 · Douglas Barbosa Alexandre · 523e0b19 · 52b219e9 · 600a1a63 · 600a1a63
Commit 600a1a63 authored Nov 19, 2019 by Douglas Barbosa Alexandre
2 changed files
--- a/ee/changelogs/unreleased/add-kubesc-to-sast-template.yml
+++ b/ee/changelogs/unreleased/add-kubesc-to-sast-template.yml
+---
+title: Update SAST.gitlab-ci.yml - Add kubesec analyzer
+merge_request: 20129
+author:
+type: changed
--- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
@@ -6,9 +6,10 @@
 variables:
  SAST_ANALYZER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
-  SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, tslint, secrets, sobelow, pmd-apex"
+  SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, tslint, secrets, sobelow, pmd-apex, kubesec"
  SAST_ANALYZER_IMAGE_TAG: 2
  SAST_DISABLE_DIND: "false"
+  SCAN_KUBERNETES_MANIFESTS: "false"
 sast:
  stage: test
@@ -98,6 +99,16 @@ flawfinder-sast:
          $SAST_DEFAULT_ANALYZERS =~ /flawfinder/ &&
          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(c\+\+|c)\b/
+kubesec-sast:
+  extends: .analyzer
+  image:
+    name: "$SAST_ANALYZER_IMAGE_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
+  only:
+    variables:
+      - $GITLAB_FEATURES =~ /\bsast\b/ &&
+          $SAST_DEFAULT_ANALYZERS =~ /kubesec/ &&
+          $SCAN_KUBERNETES_MANIFESTS == 'true'
 gosec-sast:
  extends: .analyzer
  image: