Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
c4cff21e
Commit
c4cff21e
authored
Sep 03, 2020
by
Fabien Catteau
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Drop DinD for SAST, DS
Drop Docker-in-Docker mode for SAST and Dependency Scanning.
parent
77fc4324
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
32 additions
and
131 deletions
+32
-131
changelogs/unreleased/220540-drop-ds-sast-dind.yml
changelogs/unreleased/220540-drop-ds-sast-dind.yml
+5
-0
ee/spec/lib/gitlab/ci/templates/dependency_scanning_gitlab_ci_yaml_spec.rb
...b/ci/templates/dependency_scanning_gitlab_ci_yaml_spec.rb
+0
-10
ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
+0
-18
lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
...b/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
+10
-67
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+17
-36
No files found.
changelogs/unreleased/220540-drop-ds-sast-dind.yml
0 → 100644
View file @
c4cff21e
---
title
:
Drop Docker-in-Docker mode for SAST and Dependency Scanning
merge_request
:
41260
author
:
type
:
removed
ee/spec/lib/gitlab/ci/templates/dependency_scanning_gitlab_ci_yaml_spec.rb
View file @
c4cff21e
...
...
@@ -33,16 +33,6 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do
allow
(
License
).
to
receive
(
:current
).
and_return
(
license
)
end
context
'when DS_DISABLE_DIND=false'
do
before
do
create
(
:ci_variable
,
project:
project
,
key:
'DS_DISABLE_DIND'
,
value:
'false'
)
end
it
'includes orchestrator job'
do
expect
(
build_names
).
to
match_array
(
%w[dependency_scanning]
)
end
end
context
'when DEPENDENCY_SCANNING_DISABLED=1'
do
before
do
create
(
:ci_variable
,
project:
project
,
key:
'DEPENDENCY_SCANNING_DISABLED'
,
value:
'1'
)
...
...
ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
View file @
c4cff21e
...
...
@@ -73,23 +73,5 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
end
end
end
context
'when project has Ultimate license'
do
let
(
:license
)
{
create
(
:license
,
plan:
License
::
ULTIMATE_PLAN
)
}
before
do
allow
(
License
).
to
receive
(
:current
).
and_return
(
license
)
end
context
'when SAST_DISABLE_DIND=false'
do
before
do
create
(
:ci_variable
,
project:
project
,
key:
'SAST_DISABLE_DIND'
,
value:
'false'
)
end
it
'includes orchestrator job'
do
expect
(
build_names
).
to
match_array
(
%w[sast]
)
end
end
end
end
end
lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
View file @
c4cff21e
...
...
@@ -12,81 +12,24 @@ variables:
DS_DEFAULT_ANALYZERS
:
"
bundler-audit,
retire.js,
gemnasium,
gemnasium-maven,
gemnasium-python"
DS_EXCLUDED_PATHS
:
"
spec,
test,
tests,
tmp"
DS_MAJOR_VERSION
:
2
DS_DISABLE_DIND
:
"
true"
dependency_scanning
:
stage
:
test
image
:
docker:stable
variables
:
DOCKER_DRIVER
:
overlay2
DOCKER_TLS_CERTDIR
:
"
"
allow_failure
:
true
services
:
-
docker:stable-dind
script
:
-
|
if ! docker info &>/dev/null; then
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
export DOCKER_HOST='tcp://localhost:2375'
fi
fi
-
|
# this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
function propagate_env_vars() {
CURRENT_ENV=$(printenv)
for VAR_NAME; do
echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
done
}
-
|
docker run \
$(propagate_env_vars \
DS_ANALYZER_IMAGES \
SECURE_ANALYZERS_PREFIX \
DS_ANALYZER_IMAGE_TAG \
DS_DEFAULT_ANALYZERS \
DS_EXCLUDED_PATHS \
DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
DS_PULL_ANALYZER_IMAGE_TIMEOUT \
DS_RUN_ANALYZER_TIMEOUT \
DS_PYTHON_VERSION \
DS_PIP_VERSION \
DS_PIP_DEPENDENCY_PATH \
DS_JAVA_VERSION \
GEMNASIUM_DB_LOCAL_PATH \
GEMNASIUM_DB_REMOTE_URL \
GEMNASIUM_DB_REF_NAME \
PIP_INDEX_URL \
PIP_EXTRA_INDEX_URL \
PIP_REQUIREMENTS_FILE \
MAVEN_CLI_OPTS \
GRADLE_CLI_OPTS \
SBT_CLI_OPTS \
BUNDLER_AUDIT_UPDATE_DISABLED \
BUNDLER_AUDIT_ADVISORY_DB_URL \
BUNDLER_AUDIT_ADVISORY_DB_REF_NAME \
RETIREJS_JS_ADVISORY_DB \
RETIREJS_NODE_ADVISORY_DB \
DS_REMEDIATE \
) \
--volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \
"registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_MAJOR_VERSION" /code
-
echo "$CI_JOB_NAME is used for configuration only, and its script should not be executed"
-
exit
1
artifacts
:
reports
:
dependency_scanning
:
gl-dependency-scanning-report.json
dependencies
:
[]
rules
:
-
if
:
$DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'true'
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/
-
when
:
never
.ds-analyzer
:
extends
:
dependency_scanning
services
:
[]
allow_failure
:
true
rules
:
-
if
:
$DEPENDENCY_SCANNING_DISABLED
|| $DS_DISABLE_DIND == 'false'
-
if
:
$DEPENDENCY_SCANNING_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/
...
...
@@ -100,7 +43,7 @@ gemnasium-dependency_scanning:
variables
:
DS_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
rules
:
-
if
:
$DEPENDENCY_SCANNING_DISABLED
|| $DS_DISABLE_DIND == 'false'
-
if
:
$DEPENDENCY_SCANNING_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
...
...
@@ -123,7 +66,7 @@ gemnasium-maven-dependency_scanning:
variables
:
DS_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
rules
:
-
if
:
$DEPENDENCY_SCANNING_DISABLED
|| $DS_DISABLE_DIND == 'false'
-
if
:
$DEPENDENCY_SCANNING_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
...
...
@@ -141,7 +84,7 @@ gemnasium-python-dependency_scanning:
variables
:
DS_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
rules
:
-
if
:
$DEPENDENCY_SCANNING_DISABLED
|| $DS_DISABLE_DIND == 'false'
-
if
:
$DEPENDENCY_SCANNING_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
...
...
@@ -166,7 +109,7 @@ bundler-audit-dependency_scanning:
variables
:
DS_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
rules
:
-
if
:
$DEPENDENCY_SCANNING_DISABLED
|| $DS_DISABLE_DIND == 'false'
-
if
:
$DEPENDENCY_SCANNING_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
...
...
@@ -181,7 +124,7 @@ retire-js-dependency_scanning:
variables
:
DS_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
rules
:
-
if
:
$DEPENDENCY_SCANNING_DISABLED
|| $DS_DISABLE_DIND == 'false'
-
if
:
$DEPENDENCY_SCANNING_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
...
...
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
View file @
c4cff21e
...
...
@@ -12,45 +12,26 @@ variables:
SAST_DEFAULT_ANALYZERS
:
"
bandit,
brakeman,
gosec,
spotbugs,
flawfinder,
phpcs-security-audit,
security-code-scan,
nodejs-scan,
eslint,
sobelow,
pmd-apex,
kubesec"
SAST_EXCLUDED_PATHS
:
"
spec,
test,
tests,
tmp"
SAST_ANALYZER_IMAGE_TAG
:
2
SAST_DISABLE_DIND
:
"
true"
SCAN_KUBERNETES_MANIFESTS
:
"
false"
sast
:
stage
:
test
allow_failure
:
true
artifacts
:
reports
:
sast
:
gl-sast-report.json
rules
:
-
if
:
$SAST_DISABLED || $SAST_DISABLE_DIND == 'true'
when
:
never
-
if
:
$CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast\b/
image
:
docker:stable
-
when
:
never
variables
:
SEARCH_MAX_DEPTH
:
4
DOCKER_DRIVER
:
overlay2
DOCKER_TLS_CERTDIR
:
"
"
services
:
-
docker:stable-dind
script
:
-
|
if ! docker info &>/dev/null; then
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
export DOCKER_HOST='tcp://localhost:2375'
fi
fi
-
|
docker run \
$(awk 'BEGIN{for(v in ENVIRON) print v}' | grep -v -E '^(DOCKER_|CI|GITLAB_|FF_|HOME|PWD|OLDPWD|PATH|SHLVL|HOSTNAME)' | awk '{printf " -e %s", $0}') \
--volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_ANALYZER_IMAGE_TAG" /app/bin/run /code
-
echo "$CI_JOB_NAME is used for configuration only, and its script should not be executed"
-
exit
1
.sast-analyzer
:
extends
:
sast
services
:
[]
allow_failure
:
true
rules
:
-
if
:
$SAST_DISABLED
|| $SAST_DISABLE_DIND == 'false'
-
if
:
$SAST_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH
script
:
...
...
@@ -63,7 +44,7 @@ bandit-sast:
variables
:
SAST_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
rules
:
-
if
:
$SAST_DISABLED
|| $SAST_DISABLE_DIND == 'false'
-
if
:
$SAST_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /bandit/
...
...
@@ -77,7 +58,7 @@ brakeman-sast:
variables
:
SAST_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
rules
:
-
if
:
$SAST_DISABLED
|| $SAST_DISABLE_DIND == 'false'
-
if
:
$SAST_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /brakeman/
...
...
@@ -91,7 +72,7 @@ eslint-sast:
variables
:
SAST_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
rules
:
-
if
:
$SAST_DISABLED
|| $SAST_DISABLE_DIND == 'false'
-
if
:
$SAST_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /eslint/
...
...
@@ -109,7 +90,7 @@ flawfinder-sast:
variables
:
SAST_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
rules
:
-
if
:
$SAST_DISABLED
|| $SAST_DISABLE_DIND == 'false'
-
if
:
$SAST_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /flawfinder/
...
...
@@ -124,7 +105,7 @@ kubesec-sast:
variables
:
SAST_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
rules
:
-
if
:
$SAST_DISABLED
|| $SAST_DISABLE_DIND == 'false'
-
if
:
$SAST_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /kubesec/ &&
...
...
@@ -137,7 +118,7 @@ gosec-sast:
variables
:
SAST_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
rules
:
-
if
:
$SAST_DISABLED
|| $SAST_DISABLE_DIND == 'false'
-
if
:
$SAST_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /gosec/
...
...
@@ -151,7 +132,7 @@ nodejs-scan-sast:
variables
:
SAST_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
rules
:
-
if
:
$SAST_DISABLED
|| $SAST_DISABLE_DIND == 'false'
-
if
:
$SAST_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/
...
...
@@ -165,7 +146,7 @@ phpcs-security-audit-sast:
variables
:
SAST_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
rules
:
-
if
:
$SAST_DISABLED
|| $SAST_DISABLE_DIND == 'false'
-
if
:
$SAST_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/
...
...
@@ -179,7 +160,7 @@ pmd-apex-sast:
variables
:
SAST_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
rules
:
-
if
:
$SAST_DISABLED
|| $SAST_DISABLE_DIND == 'false'
-
if
:
$SAST_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /pmd-apex/
...
...
@@ -193,7 +174,7 @@ security-code-scan-sast:
variables
:
SAST_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
rules
:
-
if
:
$SAST_DISABLED
|| $SAST_DISABLE_DIND == 'false'
-
if
:
$SAST_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /security-code-scan/
...
...
@@ -208,7 +189,7 @@ sobelow-sast:
variables
:
SAST_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
rules
:
-
if
:
$SAST_DISABLED
|| $SAST_DISABLE_DIND == 'false'
-
if
:
$SAST_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /sobelow/
...
...
@@ -222,7 +203,7 @@ spotbugs-sast:
variables
:
SAST_ANALYZER_IMAGE
:
"
$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
rules
:
-
if
:
$SAST_DISABLED
|| $SAST_DISABLE_DIND == 'false'
-
if
:
$SAST_DISABLED
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /spotbugs/
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment