From 164e1f07ad2cc64f82363a150d5d4f96d298cce0 Mon Sep 17 00:00:00 2001 From: Hua Yan Date: Tue, 3 Jun 2025 10:46:50 +1000 Subject: [PATCH 1/2] Try fix --- templates/iac-sast-fix.yml | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 templates/iac-sast-fix.yml diff --git a/templates/iac-sast-fix.yml b/templates/iac-sast-fix.yml new file mode 100644 index 0000000..81ff32c --- /dev/null +++ b/templates/iac-sast-fix.yml @@ -0,0 +1,38 @@ +# Component created based on GitLab's IAC SAST Scanning template +# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/ + +spec: + inputs: + stage: + default: test + excluded_paths: + default: "spec, test, tests, tmp" + excluded_analyzers: + default: "" + image_prefix: + default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" + image_suffix: + default: "" + search_max_depth: + default: 4 + image_tag: + default: 6 + +--- +kics-iac-sast: + stage: $[[ inputs.stage ]] + image: + name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" + variables: + SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] + script: + - /analyzer run + artifacts: + access: 'developer' + reports: + sast: gl-sast-report.json + allow_failure: true + rules: + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kics/' + when: never + - if: $CI_COMMIT_BRANCH From 8ce5c87369619aa2d8548234fae1fb71118384dc Mon Sep 17 00:00:00 2001 From: "hyan@gitlab.com" Date: Tue, 3 Jun 2025 10:54:02 +1000 Subject: [PATCH 2/2] Fix --- templates/iac-sast-fix.yml | 38 -------------------------------------- templates/iac-sast.yml | 2 +- 2 files changed, 1 insertion(+), 39 deletions(-) delete mode 100644 templates/iac-sast-fix.yml diff --git a/templates/iac-sast-fix.yml b/templates/iac-sast-fix.yml deleted file mode 100644 index 81ff32c..0000000 --- a/templates/iac-sast-fix.yml +++ /dev/null @@ -1,38 +0,0 @@ -# Component created based on GitLab's IAC SAST Scanning template -# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/ - -spec: - inputs: - stage: - default: test - excluded_paths: - default: "spec, test, tests, tmp" - excluded_analyzers: - default: "" - image_prefix: - default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" - image_suffix: - default: "" - search_max_depth: - default: 4 - image_tag: - default: 6 - ---- -kics-iac-sast: - stage: $[[ inputs.stage ]] - image: - name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" - variables: - SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] - script: - - /analyzer run - artifacts: - access: 'developer' - reports: - sast: gl-sast-report.json - allow_failure: true - rules: - - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kics/' - when: never - - if: $CI_COMMIT_BRANCH diff --git a/templates/iac-sast.yml b/templates/iac-sast.yml index 3da0295..81ff32c 100644 --- a/templates/iac-sast.yml +++ b/templates/iac-sast.yml @@ -33,6 +33,6 @@ kics-iac-sast: sast: gl-sast-report.json allow_failure: true rules: - - if: $[[ inputs.excluded_analyzers ]] =~ /kics/ + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kics/' when: never - if: $CI_COMMIT_BRANCH