Commit 89e8e0cd authored by Robert Speicher's avatar Robert Speicher

Merge branch 'rf-sast-remove-dind' into 'master'

SAST that doesn't rely on Docker-in-Docker

See merge request gitlab-org/gitlab!16487
parents 48b4c61d d7943465
---
title: SAST template that doesn't rely on Docker-in-Docker
merge_request: 16487
author:
type: other
...@@ -4,13 +4,28 @@ ...@@ -4,13 +4,28 @@
# List of the variables: https://gitlab.com/gitlab-org/security-products/sast#settings # List of the variables: https://gitlab.com/gitlab-org/security-products/sast#settings
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables # How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
sast: .sast:
stage: test stage: test
allow_failure: true
artifacts:
reports:
sast: gl-sast-report.json
only:
refs:
- branches
variables:
- $GITLAB_FEATURES =~ /\bsast\b/
variables:
SAST_ANALYZER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SAST_DISABLE_DIND: "false"
sast:
extends: .sast
image: docker:stable image: docker:stable
variables: variables:
DOCKER_DRIVER: overlay2 DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: "" DOCKER_TLS_CERTDIR: ""
allow_failure: true
services: services:
- docker:stable-dind - docker:stable-dind
script: script:
...@@ -63,15 +78,116 @@ sast: ...@@ -63,15 +78,116 @@ sast:
--volume "$PWD:/code" \ --volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \ --volume /var/run/docker.sock:/var/run/docker.sock \
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code
artifacts:
reports:
sast: gl-sast-report.json
dependencies: []
only:
refs:
- branches
variables:
- $GITLAB_FEATURES =~ /\bsast\b/
except: except:
variables: variables:
- $SAST_DISABLED - $SAST_DISABLED
- $SAST_DISABLE_DIND == 'true'
.analyzer:
extends: .sast
except:
variables:
- $SAST_DISABLE_DIND == 'false'
script:
- /analyzer run
bandit-sast:
extends: .analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/bandit"
only:
variables:
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /python/'
brakeman-sast:
extends: .analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman"
only:
variables:
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /ruby/'
eslint-sast:
extends: .analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/eslint"
only:
variables:
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/'
flawfinder-sast:
extends: .analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/flawfinder"
only:
variables:
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(c\+\+|c\b)/'
gosec-sast:
extends: .analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/gosec"
only:
variables:
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /go/'
nodejs-scan-sast:
extends: .analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan"
only:
variables:
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/'
phpcs-security-audit-sast:
extends: .analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/phpcs-security-audit"
only:
variables:
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /php/'
pmd-apex-sast:
extends: .analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/pmd-apex"
only:
variables:
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /apex/'
secrets-sast:
extends: .analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets"
security-code-scan-sast:
extends: .analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/security-code-scan"
only:
variables:
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /c\#/ || $CI_PROJECT_REPOSITORY_LANGUAGES =~ /visual basic/'
sobelow-sast:
extends: .analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/sobelow"
only:
variables:
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /elixir/'
spotbugs-sast:
extends: .analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/spotbugs"
only:
variables:
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /java\b/'
tslint-sast:
extends: .analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/tslint"
only:
variables:
- '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /typescript/'
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment