Skip to content

G
gitlab-ce
Commit fe7aee82 authored by Rémy Coutable's avatar Rémy Coutable
Browse files
Options

Merge branch 'clean-up-secure-jobs' into 'master' 

Clean-up secure jobs config

See merge request gitlab-org/gitlab!72337
parents 959804e8 48698a62
Hide whitespace changes
Inline Side-by-side
Showing with 1 addition and 14 deletions
.gitlab/ci/reports.gitlab-ci.yml
View file @ fe7aee82
......@@ -32,11 +32,9 @@ code_quality:
brakeman-sast:
rules: !reference [".reports:rules:brakeman-sast", rules]
allow_failure: true
semgrep-sast:
rules: !reference [".reports:rules:semgrep-sast", rules]
allow_failure: true
gosec-sast:
variables:
......@@ -53,7 +51,6 @@ gosec-sast:
paths:
- vendor/go
rules: !reference [".reports:rules:gosec-sast", rules]
allow_failure: true
.secret-analyzer:
extends: .default-retry
......@@ -65,7 +62,6 @@ gosec-sast:
secret_detection:
rules: !reference [".reports:rules:secret_detection", rules]
allow_failure: true
.ds-analyzer:
# We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template.
......@@ -75,6 +71,7 @@ secret_detection:
needs: []
variables:
DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp" # GitLab-specific
DS_EXCLUDED_ANALYZERS: "gemnasium-maven"
artifacts:
paths:
- gl-dependency-scanning-report.json # GitLab-specific
......@@ -84,25 +81,16 @@ gemnasium-dependency_scanning:
before_script:
# git-lfs is needed for auto-remediation
- apk add git-lfs
after_script:
# Post-processing
- apk add jq
# Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390
- jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json
rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules]
allow_failure: true
bundler-audit-dependency_scanning:
rules: !reference [".reports:rules:bundler-audit-dependency_scanning", rules]
allow_failure: true
retire-js-dependency_scanning:
rules: !reference [".reports:rules:retire-js-dependency_scanning", rules]
allow_failure: true
gemnasium-python-dependency_scanning:
rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules]
allow_failure: true
# Analyze dependencies for malicious behavior
# See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
......@@ -150,4 +138,3 @@ license_scanning:
artifacts:
expire_in: 1 week # GitLab-specific
rules: !reference [".reports:rules:license_scanning", rules]
allow_failure: true
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7