From 642cd120cac451fee62d91110b975496553fb4ed Mon Sep 17 00:00:00 2001 From: Fabio Pitino Date: Wed, 3 May 2023 11:21:38 +0100 Subject: [PATCH] Port more vars to inputs --- README.md | 3 +++ template.yml | 50 ++++++++++++++++++++++---------------------------- 2 files changed, 25 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index 353f59f..5e31d95 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,9 @@ where `` is the latest released tag or `main`. | ----- | ------------- | ----------- | | `stage` | `test` | The stage where you want the job to be added | | `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | +| `image_tag` | `3` | Tag of the Docker image to use | | `image_suffix` | `""` | Used by `semgrep-sast` job only | | `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | +| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | +| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | diff --git a/template.yml b/template.yml index 4ed97b2..3290d96 100644 --- a/template.yml +++ b/template.yml @@ -4,23 +4,28 @@ spec: default: test image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" + image_tag: + default: 3 image_suffix: default: "" excluded_analyzers: default: "" + excluded_paths: + default: "spec, test, tests, tmp" + search_max_depth: + default: 4 run_kubesec_sast: default: 'false' - --- .sast-analyzer: stage: $[[ inputs.stage ]] allow_failure: true - # `rules` must be overridden explicitly by each child job - # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444 + # these variables are used by the analyzer + # TODO: propagate inputs when breaking down into separate components + # E.g. SEARCH_MAX_DEPTH is overridden in some analyzers. We should pass the input instead. variables: - SEARCH_MAX_DEPTH: 4 - SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" - SCAN_KUBERNETES_MANIFESTS: "false" + SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] + SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]] script: - /analyzer run artifacts: @@ -32,8 +37,7 @@ brakeman-sast: image: name: "$SAST_ANALYZER_IMAGE" variables: - SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/brakeman:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/brakeman:$[[ inputs.image_tag ]]" rules: - if: $SAST_DISABLED when: never @@ -49,8 +53,7 @@ flawfinder-sast: image: name: "$SAST_ANALYZER_IMAGE" variables: - SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/flawfinder:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/flawfinder:$[[ inputs.image_tag ]]" rules: - if: $SAST_DISABLED when: never @@ -70,8 +73,7 @@ kubesec-sast: image: name: "$SAST_ANALYZER_IMAGE" variables: - SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/kubesec:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/kubesec:$[[ inputs.image_tag ]]" rules: - if: $SAST_DISABLED when: never @@ -84,8 +86,7 @@ kubesec-sast: image: name: "$SAST_ANALYZER_IMAGE" variables: - SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/mobsf:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/mobsf:$[[ inputs.image_tag ]]" mobsf-android-sast: extends: .mobsf-sast @@ -118,8 +119,7 @@ nodejs-scan-sast: image: name: "$SAST_ANALYZER_IMAGE" variables: - SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/nodejs-scan:$[[ inputs.image_tag ]]" rules: - if: $SAST_DISABLED when: never @@ -134,8 +134,7 @@ phpcs-security-audit-sast: image: name: "$SAST_ANALYZER_IMAGE" variables: - SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/phpcs-security-audit:$[[ inputs.image_tag ]]" rules: - if: $SAST_DISABLED when: never @@ -150,8 +149,7 @@ pmd-apex-sast: image: name: "$SAST_ANALYZER_IMAGE" variables: - SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/pmd-apex:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/pmd-apex:$[[ inputs.image_tag ]]" rules: - if: $SAST_DISABLED when: never @@ -166,8 +164,7 @@ security-code-scan-sast: image: name: "$SAST_ANALYZER_IMAGE" variables: - SAST_ANALYZER_IMAGE_TAG: '3' - SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/security-code-scan:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/security-code-scan:$[[ inputs.image_tag ]]" rules: - if: $SAST_DISABLED when: never @@ -184,8 +181,7 @@ semgrep-sast: name: "$SAST_ANALYZER_IMAGE" variables: SEARCH_MAX_DEPTH: 20 - SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/semgrep:$SAST_ANALYZER_IMAGE_TAG$[[ inputs.image_suffix ]]" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/semgrep:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" rules: - if: $SAST_DISABLED when: never @@ -211,8 +207,7 @@ sobelow-sast: image: name: "$SAST_ANALYZER_IMAGE" variables: - SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/sobelow:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/sobelow:$[[ inputs.image_tag ]]" rules: - if: $SAST_DISABLED when: never @@ -227,8 +222,7 @@ spotbugs-sast: image: name: "$SAST_ANALYZER_IMAGE" variables: - SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/spotbugs:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/spotbugs:$[[ inputs.image_tag ]]" rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /spotbugs/' when: never