Commit e0e03b98 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch '4845-update-sast-doc-and-example' into 'master'

Resolve "Update SAST doc and example"

Closes #4845

See merge request gitlab-org/gitlab-ee!4426
parents 3b0277fb 19c1eaa2
...@@ -8,21 +8,62 @@ This example shows how to run ...@@ -8,21 +8,62 @@ This example shows how to run
[Static Application Security Testing (SAST)](https://en.wikipedia.org/wiki/Static_program_analysis) [Static Application Security Testing (SAST)](https://en.wikipedia.org/wiki/Static_program_analysis)
on your project's source code by using GitLab CI/CD. on your project's source code by using GitLab CI/CD.
All you need is a GitLab Runner with the Docker executor (the shared Runners on First, you need GitLab Runner with [docker-in-docker executor](https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-docker-in-docker-executor).
GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`, You can then add a new job to `.gitlab-ci.yml`,
called `sast`: called `sast`:
```yaml ```yaml
sast: sast:
image: registry.gitlab.com/gitlab-org/gl-sast:latest image: docker:latest
variables:
DOCKER_DRIVER: overlay2
allow_failure: true
services:
- docker:dind
script: script:
- /app/bin/run . - setup_docker
- sast
artifacts: artifacts:
paths: [gl-sast-report.json] paths: [gl-sast-report.json]
.auto_devops: &auto_devops |
# Auto DevOps variables and functions
function setup_docker() {
if ! docker info &>/dev/null; then
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
export DOCKER_HOST='tcp://localhost:2375'
fi
fi
}
function sast() {
case "$CI_SERVER_VERSION" in
*-ee)
# Extract "MAJOR.MINOR" from CI_SERVER_VERSION and generate "MAJOR-MINOR-stable"
SAST_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
docker run --volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code
;;
*)
echo "GitLab EE is required"
;;
esac
}
before_script:
- *auto_devop
``` ```
Behind the scenes, the [gl-sast Docker image](https://gitlab.com/gitlab-org/gl-sast) Please check the [Auto-DevOps template](https://gitlab.com/gitlab-org/gitlab-ci-yml/blob/master/Auto-DevOps.gitlab-ci.yml) for full reference.
is used to detect the language/framework and in turn runs the matching scan tool.
Behind the scenes, the [GitLab SAST Docker image](https://gitlab.com/gitlab-org/security-products/sast)
is used to detect the languages/frameworks and in turn runs the matching scan tools.
Some security scanners require to send a list of project dependencies to GitLab central servers to check for vulnerabilities. To learn more about this or to disable it please
check [GitLab SAST documentation](https://gitlab.com/gitlab-org/security-products/sast#remote-checks).
The above example will create a `sast` job in your CI pipeline and will allow The above example will create a `sast` job in your CI pipeline and will allow
you to download and analyze the report artifact in JSON format. you to download and analyze the report artifact in JSON format.
...@@ -44,13 +85,6 @@ so, the CI job must be named `sast` and the artifact path must be ...@@ -44,13 +85,6 @@ so, the CI job must be named `sast` and the artifact path must be
## Supported languages and frameworks ## Supported languages and frameworks
The following languages and frameworks are supported. See [the full list of supported languages and frameworks](../../user/project/merge_requests/sast.md#supported-languages-and-frameworks).
| Language / framework | Scan tool |
| -------------------- | --------- |
| JavaScript | [Retire.js](https://retirejs.github.io/retire.js)
| Python | [bandit](https://github.com/openstack/bandit) |
| Ruby | [bundler-audit](https://github.com/rubysec/bundler-audit) |
| Ruby on Rails | [brakeman](https://brakemanscanner.org) |
[ee]: https://about.gitlab.com/products/ [ee]: https://about.gitlab.com/products/
...@@ -207,7 +207,7 @@ target branches are also ...@@ -207,7 +207,7 @@ target branches are also
> Introduced in [GitLab Ultimate][ee] 10.3. > Introduced in [GitLab Ultimate][ee] 10.3.
Static Application Security Testing (SAST) uses the Static Application Security Testing (SAST) uses the
[gl-sast Docker image](https://gitlab.com/gitlab-org/gl-sast) to run static [SAST Docker image](https://gitlab.com/gitlab-org/security-products/sast) to run static
analysis on the current code and checks for potential security issues. Once the analysis on the current code and checks for potential security issues. Once the
report is created, it's uploaded as an artifact which you can later download and report is created, it's uploaded as an artifact which you can later download and
check out. check out.
......
...@@ -23,6 +23,19 @@ request widget area: ...@@ -23,6 +23,19 @@ request widget area:
- Your code has a potentially dangerous attribute in a class, or unsafe code - Your code has a potentially dangerous attribute in a class, or unsafe code
that can lead to unintended code execution. that can lead to unintended code execution.
## Supported languages and frameworks
The following languages and frameworks are supported:
| Language (package managers) / framework | Scan tool |
| ---------------------- | --------- |
| JavaScript ([npm](https://www.npmjs.com/), [yarn](https://yarnpkg.com/en/)) | [gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium), [Retire.js](https://retirejs.github.io/retire.js)
| Python ([pip](https://pip.pypa.io/en/stable/)) | [gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium), [bandit](https://github.com/openstack/bandit) |
| Ruby ([gem](https://rubygems.org/)) | [gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium), [bundler-audit](https://github.com/rubysec/bundler-audit) |
| Ruby on Rails | [brakeman](https://brakemanscanner.org) |
| Java ([Maven](http://maven.apache.org/)) | [gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) |
| PHP ([Composer](https://getcomposer.org/)) | [gemnasium](https://gitlab.com/gitlab-org/security-products/gemnasium) |
## How it works ## How it works
In order for the report to show in the merge request, you need to specify a In order for the report to show in the merge request, you need to specify a
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment