vor/sast
1
0
Fork 0
mirror of https://gitlab.com/components/sast.git synced 2025-06-30 07:28:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Disable analyzer replaced by semgrep

Browse source
This commit is contained in:
Craig Smith 2024-05-07 13:33:41 +00:00 committed by Lucas Charles
parent 036c14b9ed
commit 4852fea0ce
2 changed files with 25 additions and 55 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.gitlab-ci.yml
View file

@ -3,12 +3,12 @@ include:
stages: [test, release] stages: [test, release]
ensure-brakeman-job-added: ensure-semgrep-job-added:
image: badouralix/curl-jq image: badouralix/curl-jq
script: script:
- | - |
route="$CI_API_V4_URL/projects/$CI_PROJECT_ID/pipelines/$CI_PIPELINE_ID/jobs" route="$CI_API_V4_URL/projects/$CI_PROJECT_ID/pipelines/$CI_PIPELINE_ID/jobs"
count=`curl --silent $route | jq 'map(select(.name | contains("brakeman-sast"))) | length'` count=`curl --silent $route | jq 'map(select(.name | contains("semgrep-sast"))) | length'`
if [ "$count" != "1" ]; then if [ "$count" != "1" ]; then
exit 1 exit 1
fi fi

76
templates/sast.yml
View file

@ -34,19 +34,7 @@ spec:
reports: reports:
sast: gl-sast-report.json sast: gl-sast-report.json
brakeman-sast: .deprecated-16.8:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/brakeman:$[[ inputs.image_tag ]]"
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /brakeman/'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.rb'
- '**/Gemfile'
flawfinder-sast:
extends: .sast-analyzer extends: .sast-analyzer
script: script:
- echo "This job was deprecated in GitLab 16.8 and removed in GitLab 17.0" - echo "This job was deprecated in GitLab 16.8 and removed in GitLab 17.0"
@ -55,6 +43,13 @@ flawfinder-sast:
rules: rules:
- when: never - when: never
brakeman-sast:
extends: .deprecated-16.8
flawfinder-sast:
extends: .deprecated-16.8
kubesec-sast: kubesec-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
@ -64,52 +59,17 @@ kubesec-sast:
when: never when: never
- if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"' - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"'
.mobsf-sast:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/mobsf:$[[ inputs.image_tag ]]"
mobsf-android-sast: mobsf-android-sast:
extends: .mobsf-sast extends: .deprecated-16.8
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/'
when: never
- if: '$CI_COMMIT_BRANCH && "$[[ inputs.include_experimental ]]" == "true"'
exists:
- '**/*.apk'
- '**/AndroidManifest.xml'
mobsf-ios-sast: mobsf-ios-sast:
extends: .mobsf-sast extends: .deprecated-16.8
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/'
when: never
- if: '$CI_COMMIT_BRANCH && "$[[ inputs.include_experimental ]]" == "true"'
exists:
- '**/*.ipa'
- '**/*.xcodeproj/*'
nodejs-scan-sast: nodejs-scan-sast:
extends: .sast-analyzer extends: .deprecated-16.8
image:
name: "$[[ inputs.image_prefix ]]/nodejs-scan:$[[ inputs.image_tag ]]"
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /nodejs-scan/'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/package.json'
phpcs-security-audit-sast: phpcs-security-audit-sast:
extends: .sast-analyzer extends: .deprecated-16.8
image:
name: "$[[ inputs.image_prefix ]]/phpcs-security-audit:$[[ inputs.image_tag ]]"
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /phpcs-security-audit/'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.php'
pmd-apex-sast: pmd-apex-sast:
extends: .sast-analyzer extends: .sast-analyzer
@ -148,12 +108,22 @@ semgrep-sast:
- '**/*.ts' - '**/*.ts'
- '**/*.tsx' - '**/*.tsx'
- '**/*.c' - '**/*.c'
- '**/*.cc'
- '**/*.cpp'
- '**/*.c++'
- '**/*.cp'
- '**/*.cxx'
- '**/*.go' - '**/*.go'
- '**/*.java' - '**/*.java'
- '**/*.cs'
- '**/*.html' - '**/*.html'
- '**/*.cs'
- '**/*.scala' - '**/*.scala'
- '**/*.sc' - '**/*.sc'
- '**/*.php'
- '**/*.swift'
- '**/*.m'
- '**/*.rb'
- '**/*.kt'
sobelow-sast: sobelow-sast:
extends: .sast-analyzer extends: .sast-analyzer