Skip to content

G
gitlab-ce
Commit a9e72d97 authored by Lucas Charles's avatar Lucas Charles
Browse files
Options

Migrate SAST CI template to rules syntax 

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/36548
parent ae05ca54
Hide whitespace changes
Inline Side-by-side
Showing with 150 additions and 101 deletions
changelogs/unreleased/e2300-sast-template.yml 0 → 100644
View file @ a9e72d97
---
title: Migrate SAST CI template to rules syntax
merge_request: 31127
author:
type: changed
ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
View file @ a9e72d97
......@@ -8,7 +8,8 @@ describe 'SAST.gitlab-ci.yml' do
describe 'the created pipeline' do
let(:user) { create(:admin) }
let(:default_branch) { 'master' }
let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
let(:files) { { 'README.txt' => '' } }
let(:project) { create(:project, :custom_repo, files: files) }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) }
......@@ -48,33 +49,34 @@ describe 'SAST.gitlab-ci.yml' do
end
end
context 'when SAST_DISABLE_DIND=1' do
context 'when SAST_DISABLE_DIND=true' do
before do
create(:ci_variable, project: project, key: 'SAST_DISABLE_DIND', value: '1')
create(:ci_variable, project: project, key: 'SAST_DISABLE_DIND', value: 'true')
end
describe 'language detection' do
using RSpec::Parameterized::TableSyntax
where(:case_name, :variables, :include_build_names) do
'No match' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "" } | %w(secrets-sast)
'Apex' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "apex" } | %w(pmd-apex-sast secrets-sast)
'C' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "c" } | %w(flawfinder-sast secrets-sast)
'C++' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "c++" } | %w(flawfinder-sast secrets-sast)
'C#' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "c#" } | %w(security-code-scan-sast secrets-sast)
'Elixir' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "elixir" } | %w(sobelow-sast secrets-sast)
'Golang' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "go" } | %w(gosec-sast secrets-sast)
'Groovy' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "groovy" } | %w(spotbugs-sast secrets-sast)
'Java' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "java" } | %w(spotbugs-sast secrets-sast)
'Javascript' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "javascript" } | %w(eslint-sast nodejs-scan-sast secrets-sast)
'Kubernetes Manifests' | { "SCAN_KUBERNETES_MANIFESTS" => "true" } | %w(kubesec-sast secrets-sast)
'Multiple languages' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "java,javascript" } | %w(eslint-sast nodejs-scan-sast spotbugs-sast secrets-sast)
'PHP' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "php" } | %w(phpcs-security-audit-sast secrets-sast)
'Python' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "python" } | %w(bandit-sast secrets-sast)
'Ruby' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "ruby" } | %w(brakeman-sast secrets-sast)
'Scala' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "scala" } | %w(spotbugs-sast secrets-sast)
'Typescript' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "typescript" } | %w(tslint-sast secrets-sast)
'Visual Basic' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "visual basic" } | %w(security-code-scan-sast secrets-sast)
where(:case_name, :files, :variables, :include_build_names) do
'No match' | { 'README.md' => '' } | {} | %w(secrets-sast)
'Apex' | { 'app.cls' => '' } | {} | %w(pmd-apex-sast secrets-sast)
'C' | { 'app.c' => '' } | {} | %w(flawfinder-sast secrets-sast)
'C++' | { 'app.cpp' => '' } | {} | %w(flawfinder-sast secrets-sast)
'C#' | { 'app.csproj' => '' } | {} | %w(security-code-scan-sast secrets-sast)
'Elixir' | { 'mix.ex' => '' } | {} | %w(sobelow-sast secrets-sast)
'Golang' | { 'main.go' => '' } | {} | %w(gosec-sast secrets-sast)
'Groovy' | { 'app.groovy' => '' } | {} | %w(spotbugs-sast secrets-sast)
'Java' | { 'app.java' => '' } | {} | %w(spotbugs-sast secrets-sast)
'Javascript' | { 'app.js' => '' } | {} | %w(eslint-sast nodejs-scan-sast secrets-sast)
'HTML' | { 'index.html' => '' } | {} | %w(eslint-sast secrets-sast)
'Kubernetes Manifests' | { 'Chart.yaml' => '' } | { 'SCAN_KUBERNETES_MANIFESTS' => 'true' } | %w(kubesec-sast secrets-sast)
'Multiple languages' | { 'app.java' => '', 'app.js' => '' } | {} | %w(eslint-sast nodejs-scan-sast spotbugs-sast secrets-sast)
'PHP' | { 'app.php' => '' } | {} | %w(phpcs-security-audit-sast secrets-sast)
'Python' | { 'app.py' => '' } | {} | %w(bandit-sast secrets-sast)
'Ruby' | { 'application.rb' => '' } | {} | %w(brakeman-sast secrets-sast)
'Scala' | { 'app.scala' => '' } | {} | %w(spotbugs-sast secrets-sast)
'Typescript' | { 'app.ts' => '' } | {} | %w(tslint-sast secrets-sast)
'Visual Basic' | { 'app.vbproj' => '' } | {} | %w(security-code-scan-sast secrets-sast)
end
with_them do
......
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
View file @ a9e72d97
......@@ -17,11 +17,10 @@ sast:
artifacts:
reports:
sast: gl-sast-report.json
only:
refs:
- branches
variables:
- $GITLAB_FEATURES =~ /\bsast\b/
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'true'
when: never
- if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast\b/
image: docker:stable
variables:
SEARCH_MAX_DEPTH: 4
......@@ -42,18 +41,15 @@ sast:
--volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_ANALYZER_IMAGE_TAG" /app/bin/run /code
except:
variables:
- $SAST_DISABLED
- $SAST_DISABLE_DIND == 'true'
.sast-analyzer:
extends: sast
services: []
except:
variables:
- $SAST_DISABLED
- $SAST_DISABLE_DIND == 'false'
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/
script:
- /analyzer run
......@@ -61,49 +57,65 @@ bandit-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
only:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /bandit/&&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bpython\b/
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /bandit/
exists:
- '**/*.py'
brakeman-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
only:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /brakeman/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bruby\b/
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /brakeman/
exists:
- '**/*.rb'
eslint-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
only:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /eslint/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /eslint/
exists:
- '**/*.html'
- '**/*.js'
flawfinder-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
only:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /flawfinder/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /(c(\+\+)?,)|(c(\+\+)?$)/
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /flawfinder/
exists:
- '**/*.c'
- '**/*.cpp'
kubesec-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
only:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /kubesec/ &&
$SCAN_KUBERNETES_MANIFESTS == 'true'
......@@ -111,87 +123,117 @@ gosec-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
only:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /gosec/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bgo\b/
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /gosec/
exists:
- '**/*.go'
nodejs-scan-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
only:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/
exists:
- '**/*.js'
phpcs-security-audit-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
only:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bphp\b/
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/
exists:
- '**/*.php'
pmd-apex-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
only:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /pmd-apex/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bapex\b/
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /pmd-apex/
exists:
- '**/*.cls'
secrets-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG"
only:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /secrets/
security-code-scan-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
only:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /security-code-scan/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(c\#|visual basic\b)/
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /security-code-scan/
exists:
- '**/*.csproj'
- '**/*.vbproj'
sobelow-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
only:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /sobelow/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\belixir\b/
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /sobelow/
exists:
- '**/*.ex'
- '**/*.exs'
spotbugs-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
only:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /spotbugs/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(groovy|java|scala)\b/
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /spotbugs/
exists:
- '**/*.groovy'
- '**/*.java'
- '**/*.scala'
tslint-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/tslint:$SAST_ANALYZER_IMAGE_TAG"
only:
variables:
- $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /tslint/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\btypescript\b/
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /tslint/
exists:
- '**/*.ts'
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7