Skip to content

G
gitlab-ce
Commit e12b9fc1 authored by Lucas Charles's avatar Lucas Charles
Browse files
Options

Drop deprecated Secure ANALYZER_IMAGE_PREFIX vars 

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/213816
parent ad24d47e
Hide whitespace changes
Inline Side-by-side
Showing with 28 additions and 31 deletions
changelogs/unreleased/213816.yml 0 → 100644
View file @ e12b9fc1
---
title: Drop deprecated **_ANALYZER_IMAGE_PREFIX
merge_request: 34325
author:
type: removed
doc/user/application_security/dependency_scanning/index.md
View file @ e12b9fc1
...@@ -151,7 +151,6 @@ The following variables allow configuration of global dependency scanning settin ...@@ -151,7 +151,6 @@ The following variables allow configuration of global dependency scanning settin
| Environment variable | Description | | Environment variable | Description |
| --------------------------------------- |------------ | | --------------------------------------- |------------ |
| `SECURE_ANALYZERS_PREFIX` | Override the name of the Docker registry providing the official default images (proxy). Read more about [customizing analyzers](analyzers.md). | | `SECURE_ANALYZERS_PREFIX` | Override the name of the Docker registry providing the official default images (proxy). Read more about [customizing analyzers](analyzers.md). |
| `DS_ANALYZER_IMAGE_PREFIX` | **DEPRECATED:** Use `SECURE_ANALYZERS_PREFIX` instead. |
| `DS_DEFAULT_ANALYZERS` | Override the names of the official default images. Read more about [customizing analyzers](analyzers.md). | | `DS_DEFAULT_ANALYZERS` | Override the names of the official default images. Read more about [customizing analyzers](analyzers.md). |
| `DS_DISABLE_DIND` | Disable Docker-in-Docker and run analyzers [individually](#enabling-docker-in-docker). This variable is `true` by default. | | `DS_DISABLE_DIND` | Disable Docker-in-Docker and run analyzers [individually](#enabling-docker-in-docker). This variable is `true` by default. |
| `ADDITIONAL_CA_CERT_BUNDLE` | Bundle of CA certs to trust. | | `ADDITIONAL_CA_CERT_BUNDLE` | Bundle of CA certs to trust. |
...@@ -428,14 +427,14 @@ For details on saving and transporting Docker images as a file, see Docker's doc ...@@ -428,14 +427,14 @@ For details on saving and transporting Docker images as a file, see Docker's doc
### Set Dependency Scanning CI job variables to use local Dependency Scanning analyzers ### Set Dependency Scanning CI job variables to use local Dependency Scanning analyzers
Add the following configuration to your `.gitlab-ci.yml` file. You must replace Add the following configuration to your `.gitlab-ci.yml` file. You must replace
`DS_ANALYZER_IMAGE_PREFIX` to refer to your local Docker container registry: `SECURE_ANALYZERS_PREFIX` to refer to your local Docker container registry:
```yaml ```yaml
include: include:
- template: Dependency-Scanning.gitlab-ci.yml - template: Dependency-Scanning.gitlab-ci.yml
variables: variables:
DS_ANALYZER_IMAGE_PREFIX: "docker-registry.example.com/analyzers" SECURE_ANALYZERS_PREFIX: "docker-registry.example.com/analyzers"
GEMNASIUM_DB_REMOTE_URL: "gitlab.example.com/gemnasium-db.git" GEMNASIUM_DB_REMOTE_URL: "gitlab.example.com/gemnasium-db.git"
GIT_SSL_NO_VERIFY: "true" GIT_SSL_NO_VERIFY: "true"
``` ```
......
doc/user/application_security/sast/index.md
View file @ e12b9fc1
...@@ -278,7 +278,6 @@ The following are Docker image-related variables. ...@@ -278,7 +278,6 @@ The following are Docker image-related variables.
| Environment variable | Description | | Environment variable | Description |
|------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `SECURE_ANALYZERS_PREFIX` | Override the name of the Docker registry providing the default images (proxy). Read more about [customizing analyzers](analyzers.md). | | `SECURE_ANALYZERS_PREFIX` | Override the name of the Docker registry providing the default images (proxy). Read more about [customizing analyzers](analyzers.md). |
| `SAST_ANALYZER_IMAGE_PREFIX` | **DEPRECATED**: Use `SECURE_ANALYZERS_PREFIX` instead. |
| `SAST_ANALYZER_IMAGE_TAG` | **DEPRECATED:** Override the Docker tag of the default images. Read more about [customizing analyzers](analyzers.md). | | `SAST_ANALYZER_IMAGE_TAG` | **DEPRECATED:** Override the Docker tag of the default images. Read more about [customizing analyzers](analyzers.md). |
| `SAST_DEFAULT_ANALYZERS` | Override the names of default images. Read more about [customizing analyzers](analyzers.md). | | `SAST_DEFAULT_ANALYZERS` | Override the names of default images. Read more about [customizing analyzers](analyzers.md). |
| `SAST_DISABLE_DIND` | Disable Docker-in-Docker and run analyzers [individually](#enabling-docker-in-docker). This variable is `true` by default. | | `SAST_DISABLE_DIND` | Disable Docker-in-Docker and run analyzers [individually](#enabling-docker-in-docker). This variable is `true` by default. |
...@@ -509,7 +508,7 @@ For details on saving and transporting Docker images as a file, see Docker's doc ...@@ -509,7 +508,7 @@ For details on saving and transporting Docker images as a file, see Docker's doc
### Set SAST CI job variables to use local SAST analyzers ### Set SAST CI job variables to use local SAST analyzers
Add the following configuration to your `.gitlab-ci.yml` file. You must replace Add the following configuration to your `.gitlab-ci.yml` file. You must replace
`SAST_ANALYZER_IMAGE_PREFIX` to refer to your local Docker container registry: `SECURE_ANALYZERS_PREFIX` to refer to your local Docker container registry:
```yaml ```yaml
include: include:
......
lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
View file @ e12b9fc1
...@@ -9,9 +9,6 @@ variables: ...@@ -9,9 +9,6 @@ variables:
# (SAST, Dependency Scanning, ...) # (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
# Deprecated, use SECURE_ANALYZERS_PREFIX instead
DS_ANALYZER_IMAGE_PREFIX: "$SECURE_ANALYZERS_PREFIX"
DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python" DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
DS_EXCLUDED_PATHS: "spec, test, tests, tmp" DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
DS_MAJOR_VERSION: 2 DS_MAJOR_VERSION: 2
...@@ -45,7 +42,7 @@ dependency_scanning: ...@@ -45,7 +42,7 @@ dependency_scanning:
docker run \ docker run \
$(propagate_env_vars \ $(propagate_env_vars \
DS_ANALYZER_IMAGES \ DS_ANALYZER_IMAGES \
DS_ANALYZER_IMAGE_PREFIX \ SECURE_ANALYZERS_PREFIX \
DS_ANALYZER_IMAGE_TAG \ DS_ANALYZER_IMAGE_TAG \
DS_DEFAULT_ANALYZERS \ DS_DEFAULT_ANALYZERS \
DS_EXCLUDED_PATHS \ DS_EXCLUDED_PATHS \
...@@ -98,7 +95,7 @@ dependency_scanning: ...@@ -98,7 +95,7 @@ dependency_scanning:
gemnasium-dependency_scanning: gemnasium-dependency_scanning:
extends: .ds-analyzer extends: .ds-analyzer
image: image:
name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium:$DS_MAJOR_VERSION" name: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false' - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when: never when: never
...@@ -117,7 +114,7 @@ gemnasium-dependency_scanning: ...@@ -117,7 +114,7 @@ gemnasium-dependency_scanning:
gemnasium-maven-dependency_scanning: gemnasium-maven-dependency_scanning:
extends: .ds-analyzer extends: .ds-analyzer
image: image:
name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION" name: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false' - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when: never when: never
...@@ -133,7 +130,7 @@ gemnasium-maven-dependency_scanning: ...@@ -133,7 +130,7 @@ gemnasium-maven-dependency_scanning:
gemnasium-python-dependency_scanning: gemnasium-python-dependency_scanning:
extends: .ds-analyzer extends: .ds-analyzer
image: image:
name: "$DS_ANALYZER_IMAGE_PREFIX/gemnasium-python:$DS_MAJOR_VERSION" name: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false' - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when: never when: never
...@@ -156,7 +153,7 @@ gemnasium-python-dependency_scanning: ...@@ -156,7 +153,7 @@ gemnasium-python-dependency_scanning:
bundler-audit-dependency_scanning: bundler-audit-dependency_scanning:
extends: .ds-analyzer extends: .ds-analyzer
image: image:
name: "$DS_ANALYZER_IMAGE_PREFIX/bundler-audit:$DS_MAJOR_VERSION" name: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false' - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when: never when: never
...@@ -169,7 +166,7 @@ bundler-audit-dependency_scanning: ...@@ -169,7 +166,7 @@ bundler-audit-dependency_scanning:
retire-js-dependency_scanning: retire-js-dependency_scanning:
extends: .ds-analyzer extends: .ds-analyzer
image: image:
name: "$DS_ANALYZER_IMAGE_PREFIX/retire.js:$DS_MAJOR_VERSION" name: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false' - if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false'
when: never when: never
......
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
View file @ e12b9fc1
...@@ -9,9 +9,6 @@ variables: ...@@ -9,9 +9,6 @@ variables:
# (SAST, Dependency Scanning, ...) # (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
# Deprecated, use SECURE_ANALYZERS_PREFIX instead
SAST_ANALYZER_IMAGE_PREFIX: "$SECURE_ANALYZERS_PREFIX"
SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, tslint, secrets, sobelow, pmd-apex, kubesec" SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, tslint, secrets, sobelow, pmd-apex, kubesec"
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
SAST_ANALYZER_IMAGE_TAG: 2 SAST_ANALYZER_IMAGE_TAG: 2
...@@ -63,7 +60,7 @@ sast: ...@@ -63,7 +60,7 @@ sast:
bandit-sast: bandit-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG" name: "$SECURE_ANALYZERS_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never when: never
...@@ -76,7 +73,7 @@ bandit-sast: ...@@ -76,7 +73,7 @@ bandit-sast:
brakeman-sast: brakeman-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG" name: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never when: never
...@@ -88,7 +85,7 @@ brakeman-sast: ...@@ -88,7 +85,7 @@ brakeman-sast:
eslint-sast: eslint-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG" name: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never when: never
...@@ -102,7 +99,7 @@ eslint-sast: ...@@ -102,7 +99,7 @@ eslint-sast:
flawfinder-sast: flawfinder-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG" name: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never when: never
...@@ -116,7 +113,7 @@ flawfinder-sast: ...@@ -116,7 +113,7 @@ flawfinder-sast:
kubesec-sast: kubesec-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG" name: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never when: never
...@@ -128,7 +125,7 @@ kubesec-sast: ...@@ -128,7 +125,7 @@ kubesec-sast:
gosec-sast: gosec-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG" name: "$SECURE_ANALYZERS_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never when: never
...@@ -141,7 +138,7 @@ gosec-sast: ...@@ -141,7 +138,7 @@ gosec-sast:
nodejs-scan-sast: nodejs-scan-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG" name: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never when: never
...@@ -154,7 +151,7 @@ nodejs-scan-sast: ...@@ -154,7 +151,7 @@ nodejs-scan-sast:
phpcs-security-audit-sast: phpcs-security-audit-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG" name: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never when: never
...@@ -167,7 +164,7 @@ phpcs-security-audit-sast: ...@@ -167,7 +164,7 @@ phpcs-security-audit-sast:
pmd-apex-sast: pmd-apex-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG" name: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never when: never
...@@ -180,7 +177,7 @@ pmd-apex-sast: ...@@ -180,7 +177,7 @@ pmd-apex-sast:
secrets-sast: secrets-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG" name: "$SECURE_ANALYZERS_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never when: never
...@@ -191,7 +188,7 @@ secrets-sast: ...@@ -191,7 +188,7 @@ secrets-sast:
security-code-scan-sast: security-code-scan-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG" name: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never when: never
...@@ -205,7 +202,7 @@ security-code-scan-sast: ...@@ -205,7 +202,7 @@ security-code-scan-sast:
sobelow-sast: sobelow-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG" name: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never when: never
...@@ -218,7 +215,7 @@ sobelow-sast: ...@@ -218,7 +215,7 @@ sobelow-sast:
spotbugs-sast: spotbugs-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG" name: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never when: never
...@@ -233,7 +230,7 @@ spotbugs-sast: ...@@ -233,7 +230,7 @@ spotbugs-sast:
tslint-sast: tslint-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/tslint:$SAST_ANALYZER_IMAGE_TAG" name: "$SECURE_ANALYZERS_PREFIX/tslint:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never when: never
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7