diff --git a/README.md b/README.md index ca020ac..994a4ef 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,11 @@ # SAST (Static Application Security Testing) -Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/ +This project provides componnets for the use of Static Application Security Testing as well as Infrastructure as Code testing. Configuration for either component may be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/). + +More information about GitLab SAST is available within GitLab documentation (https://docs.gitlab.com/ee/user/application_security/sast/), along with the available variables (https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables). + +More information about GitLab Infrastructure as Code scanning is available within GitLab documentation (https://docs.gitlab.com/user/application_security/iac_scanning/). -Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html). -List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables ## Usage @@ -12,7 +14,8 @@ keyword. ```yaml include: - - component: gitlab.com/components/sast/sast@ + - component: gitlab.com/components/sast/sast@ # To include SAST Scanning + - component: gitlab.com/components/sast/iac-sast@ # To include IaC Scanning ``` where `` is the latest released tag or `main`. @@ -34,18 +37,18 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit ### Inputs -| Input | Default value | Description | -| ----- | ------------- | ----------- | -| `stage` | `test` | The stage where you want the job to be added | -| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | -| `image_tag` | `4` | Tag of the Docker image to use | -| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | -| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | -| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | -| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | -| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | -| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ] -| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | +| Input | Default value | Description | SAST | IaC | +| ----- | ------------- | ----------- | ---- | --- | +| `stage` | `test` | The stage where you want the job to be added | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | +| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | +| `image_tag` | `4` | Tag of the Docker image to use | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | +| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes, no FIPS support for IaC | +| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No | +| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | +| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | +| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No | +| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No | +| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No | ## Contribute diff --git a/templates/iac-sast.yml b/templates/iac-sast.yml new file mode 100644 index 0000000..d657763 --- /dev/null +++ b/templates/iac-sast.yml @@ -0,0 +1,38 @@ +# Component created based on GitLab's IAC SAST Scanning template +# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/ + +spec: + inputs: + stage: + default: test + excluded_paths: + default: "spec, test, tests, tmp" + excluded_analyzers: + default: "" + image_prefix: + default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" + image_suffix: + dafault: "" + search_max_depth: + default: 4 + image_tag: + default: 6 + +--- +kics-iac-sast: + stage: $[[ inputs.stage ]] + image: + name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" + variables: + SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] + script: + - /analyzer run + artifacts: + access: 'developer' + reports: + sast: gl-sast-report.json + allow_failure: true + rules: + - if: $[[ inputs.excluded_analyzers ]] =~ /kics/ + when: never + - if: $CI_COMMIT_BRANCH