Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
a9e72d97
Commit
a9e72d97
authored
May 05, 2020
by
Lucas Charles
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Migrate SAST CI template to rules syntax
Relates to
https://gitlab.com/gitlab-org/gitlab/-/issues/36548
parent
ae05ca54
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
150 additions
and
101 deletions
+150
-101
changelogs/unreleased/e2300-sast-template.yml
changelogs/unreleased/e2300-sast-template.yml
+5
-0
ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
+24
-22
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+121
-79
No files found.
changelogs/unreleased/e2300-sast-template.yml
0 → 100644
View file @
a9e72d97
---
title
:
Migrate SAST CI template to rules syntax
merge_request
:
31127
author
:
type
:
changed
ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
View file @
a9e72d97
...
...
@@ -8,7 +8,8 @@ describe 'SAST.gitlab-ci.yml' do
describe
'the created pipeline'
do
let
(
:user
)
{
create
(
:admin
)
}
let
(
:default_branch
)
{
'master'
}
let
(
:project
)
{
create
(
:project
,
:custom_repo
,
files:
{
'README.txt'
=>
''
})
}
let
(
:files
)
{
{
'README.txt'
=>
''
}
}
let
(
:project
)
{
create
(
:project
,
:custom_repo
,
files:
files
)
}
let
(
:service
)
{
Ci
::
CreatePipelineService
.
new
(
project
,
user
,
ref:
'master'
)
}
let
(
:pipeline
)
{
service
.
execute!
(
:push
)
}
let
(
:build_names
)
{
pipeline
.
builds
.
pluck
(
:name
)
}
...
...
@@ -48,33 +49,34 @@ describe 'SAST.gitlab-ci.yml' do
end
end
context
'when SAST_DISABLE_DIND=
1
'
do
context
'when SAST_DISABLE_DIND=
true
'
do
before
do
create
(
:ci_variable
,
project:
project
,
key:
'SAST_DISABLE_DIND'
,
value:
'
1
'
)
create
(
:ci_variable
,
project:
project
,
key:
'SAST_DISABLE_DIND'
,
value:
'
true
'
)
end
describe
'language detection'
do
using
RSpec
::
Parameterized
::
TableSyntax
where
(
:case_name
,
:variables
,
:include_build_names
)
do
'No match'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
""
}
|
%w(secrets-sast)
'Apex'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"apex"
}
|
%w(pmd-apex-sast secrets-sast)
'C'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"c"
}
|
%w(flawfinder-sast secrets-sast)
'C++'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"c++"
}
|
%w(flawfinder-sast secrets-sast)
'C#'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"c#"
}
|
%w(security-code-scan-sast secrets-sast)
'Elixir'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"elixir"
}
|
%w(sobelow-sast secrets-sast)
'Golang'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"go"
}
|
%w(gosec-sast secrets-sast)
'Groovy'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"groovy"
}
|
%w(spotbugs-sast secrets-sast)
'Java'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"java"
}
|
%w(spotbugs-sast secrets-sast)
'Javascript'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"javascript"
}
|
%w(eslint-sast nodejs-scan-sast secrets-sast)
'Kubernetes Manifests'
|
{
"SCAN_KUBERNETES_MANIFESTS"
=>
"true"
}
|
%w(kubesec-sast secrets-sast)
'Multiple languages'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"java,javascript"
}
|
%w(eslint-sast nodejs-scan-sast spotbugs-sast secrets-sast)
'PHP'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"php"
}
|
%w(phpcs-security-audit-sast secrets-sast)
'Python'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"python"
}
|
%w(bandit-sast secrets-sast)
'Ruby'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"ruby"
}
|
%w(brakeman-sast secrets-sast)
'Scala'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"scala"
}
|
%w(spotbugs-sast secrets-sast)
'Typescript'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"typescript"
}
|
%w(tslint-sast secrets-sast)
'Visual Basic'
|
{
"CI_PROJECT_REPOSITORY_LANGUAGES"
=>
"visual basic"
}
|
%w(security-code-scan-sast secrets-sast)
where
(
:case_name
,
:files
,
:variables
,
:include_build_names
)
do
'No match'
|
{
'README.md'
=>
''
}
|
{}
|
%w(secrets-sast)
'Apex'
|
{
'app.cls'
=>
''
}
|
{}
|
%w(pmd-apex-sast secrets-sast)
'C'
|
{
'app.c'
=>
''
}
|
{}
|
%w(flawfinder-sast secrets-sast)
'C++'
|
{
'app.cpp'
=>
''
}
|
{}
|
%w(flawfinder-sast secrets-sast)
'C#'
|
{
'app.csproj'
=>
''
}
|
{}
|
%w(security-code-scan-sast secrets-sast)
'Elixir'
|
{
'mix.ex'
=>
''
}
|
{}
|
%w(sobelow-sast secrets-sast)
'Golang'
|
{
'main.go'
=>
''
}
|
{}
|
%w(gosec-sast secrets-sast)
'Groovy'
|
{
'app.groovy'
=>
''
}
|
{}
|
%w(spotbugs-sast secrets-sast)
'Java'
|
{
'app.java'
=>
''
}
|
{}
|
%w(spotbugs-sast secrets-sast)
'Javascript'
|
{
'app.js'
=>
''
}
|
{}
|
%w(eslint-sast nodejs-scan-sast secrets-sast)
'HTML'
|
{
'index.html'
=>
''
}
|
{}
|
%w(eslint-sast secrets-sast)
'Kubernetes Manifests'
|
{
'Chart.yaml'
=>
''
}
|
{
'SCAN_KUBERNETES_MANIFESTS'
=>
'true'
}
|
%w(kubesec-sast secrets-sast)
'Multiple languages'
|
{
'app.java'
=>
''
,
'app.js'
=>
''
}
|
{}
|
%w(eslint-sast nodejs-scan-sast spotbugs-sast secrets-sast)
'PHP'
|
{
'app.php'
=>
''
}
|
{}
|
%w(phpcs-security-audit-sast secrets-sast)
'Python'
|
{
'app.py'
=>
''
}
|
{}
|
%w(bandit-sast secrets-sast)
'Ruby'
|
{
'application.rb'
=>
''
}
|
{}
|
%w(brakeman-sast secrets-sast)
'Scala'
|
{
'app.scala'
=>
''
}
|
{}
|
%w(spotbugs-sast secrets-sast)
'Typescript'
|
{
'app.ts'
=>
''
}
|
{}
|
%w(tslint-sast secrets-sast)
'Visual Basic'
|
{
'app.vbproj'
=>
''
}
|
{}
|
%w(security-code-scan-sast secrets-sast)
end
with_them
do
...
...
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
View file @
a9e72d97
...
...
@@ -17,11 +17,10 @@ sast:
artifacts
:
reports
:
sast
:
gl-sast-report.json
only
:
refs
:
-
branches
variables
:
-
$GITLAB_FEATURES =~ /\bsast\b/
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'true'
when
:
never
-
if
:
$CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast\b/
image
:
docker:stable
variables
:
SEARCH_MAX_DEPTH
:
4
...
...
@@ -42,18 +41,15 @@ sast:
--volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_ANALYZER_IMAGE_TAG" /app/bin/run /code
except
:
variables
:
-
$SAST_DISABLED
-
$SAST_DISABLE_DIND == 'true'
.sast-analyzer
:
extends
:
sast
services
:
[]
except
:
variables
:
-
$SAST_DISABLED
-
$SAST_DISABLE_DIND == 'false'
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/
script
:
-
/analyzer run
...
...
@@ -61,49 +57,65 @@ bandit-sast:
extends
:
.sast-analyzer
image
:
name
:
"
$SAST_ANALYZER_IMAGE_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /bandit/&&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bpython\b/
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /bandit/
exists
:
-
'
**/*.py'
brakeman-sast
:
extends
:
.sast-analyzer
image
:
name
:
"
$SAST_ANALYZER_IMAGE_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /brakeman/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bruby\b/
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /brakeman/
exists
:
-
'
**/*.rb'
eslint-sast
:
extends
:
.sast-analyzer
image
:
name
:
"
$SAST_ANALYZER_IMAGE_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /eslint/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /eslint/
exists
:
-
'
**/*.html'
-
'
**/*.js'
flawfinder-sast
:
extends
:
.sast-analyzer
image
:
name
:
"
$SAST_ANALYZER_IMAGE_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /flawfinder/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /(c(\+\+)?,)|(c(\+\+)?$)/
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /flawfinder/
exists
:
-
'
**/*.c'
-
'
**/*.cpp'
kubesec-sast
:
extends
:
.sast-analyzer
image
:
name
:
"
$SAST_ANALYZER_IMAGE_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bsast\b/ &&
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /kubesec/ &&
$SCAN_KUBERNETES_MANIFESTS == 'true'
...
...
@@ -111,87 +123,117 @@ gosec-sast:
extends
:
.sast-analyzer
image
:
name
:
"
$SAST_ANALYZER_IMAGE_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /gosec/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bgo\b/
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /gosec/
exists
:
-
'
**/*.go'
nodejs-scan-sast
:
extends
:
.sast-analyzer
image
:
name
:
"
$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/
exists
:
-
'
**/*.js'
phpcs-security-audit-sast
:
extends
:
.sast-analyzer
image
:
name
:
"
$SAST_ANALYZER_IMAGE_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bphp\b/
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/
exists
:
-
'
**/*.php'
pmd-apex-sast
:
extends
:
.sast-analyzer
image
:
name
:
"
$SAST_ANALYZER_IMAGE_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /pmd-apex/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bapex\b/
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /pmd-apex/
exists
:
-
'
**/*.cls'
secrets-sast
:
extends
:
.sast-analyzer
image
:
name
:
"
$SAST_ANALYZER_IMAGE_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bsast\b/ &&
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /secrets/
security-code-scan-sast
:
extends
:
.sast-analyzer
image
:
name
:
"
$SAST_ANALYZER_IMAGE_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /security-code-scan/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(c\#|visual basic\b)/
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /security-code-scan/
exists
:
-
'
**/*.csproj'
-
'
**/*.vbproj'
sobelow-sast
:
extends
:
.sast-analyzer
image
:
name
:
"
$SAST_ANALYZER_IMAGE_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /sobelow/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\belixir\b/
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /sobelow/
exists
:
-
'
**/*.ex'
-
'
**/*.exs'
spotbugs-sast
:
extends
:
.sast-analyzer
image
:
name
:
"
$SAST_ANALYZER_IMAGE_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /spotbugs/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(groovy|java|scala)\b/
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /spotbugs/
exists
:
-
'
**/*.groovy'
-
'
**/*.java'
-
'
**/*.scala'
tslint-sast
:
extends
:
.sast-analyzer
image
:
name
:
"
$SAST_ANALYZER_IMAGE_PREFIX/tslint:$SAST_ANALYZER_IMAGE_TAG"
only
:
variables
:
-
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /tslint/ &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\btypescript\b/
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /tslint/
exists
:
-
'
**/*.ts'
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment