vor/sast
1
0
Fork 0
mirror of https://gitlab.com/components/sast.git synced 2025-06-30 15:38:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Port more vars to inputs

Browse source
This commit is contained in:
Fabio Pitino 2023-05-03 11:21:38 +01:00
parent a2e96cb379
commit 642cd120ca
2 changed files with 25 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -23,6 +23,9 @@ where `<VERSION>` is the latest released tag or `main`.
| ----- | ------------- | ----------- | | ----- | ------------- | ----------- |
| `stage` | `test` | The stage where you want the job to be added | | `stage` | `test` | The stage where you want the job to be added |
| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | | `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from |
| `image_tag` | `3` | Tag of the Docker image to use |
| `image_suffix` | `""` | Used by `semgrep-sast` job only | | `image_suffix` | `""` | Used by `semgrep-sast` job only |
| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | | `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run |
| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job |

50
template.yml
View file

@ -4,23 +4,28 @@ spec:
default: test default: test
image_prefix: image_prefix:
default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
image_tag:
default: 3
image_suffix: image_suffix:
default: "" default: ""
excluded_analyzers: excluded_analyzers:
default: "" default: ""
excluded_paths:
default: "spec, test, tests, tmp"
search_max_depth:
default: 4
run_kubesec_sast: run_kubesec_sast:
default: 'false' default: 'false'
--- ---
.sast-analyzer: .sast-analyzer:
stage: $[[ inputs.stage ]] stage: $[[ inputs.stage ]]
allow_failure: true allow_failure: true
# `rules` must be overridden explicitly by each child job # these variables are used by the analyzer
# see https://gitlab.com/gitlab-org/gitlab/-/issues/218444 # TODO: propagate inputs when breaking down into separate components
# E.g. SEARCH_MAX_DEPTH is overridden in some analyzers. We should pass the input instead.
variables: variables:
SEARCH_MAX_DEPTH: 4 SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]]
SCAN_KUBERNETES_MANIFESTS: "false"
script: script:
- /analyzer run - /analyzer run
artifacts: artifacts:
@ -32,8 +37,7 @@ brakeman-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/brakeman:$[[ inputs.image_tag ]]"
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/brakeman:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -49,8 +53,7 @@ flawfinder-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/flawfinder:$[[ inputs.image_tag ]]"
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -70,8 +73,7 @@ kubesec-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/kubesec:$[[ inputs.image_tag ]]"
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/kubesec:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -84,8 +86,7 @@ kubesec-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/mobsf:$[[ inputs.image_tag ]]"
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/mobsf:$SAST_ANALYZER_IMAGE_TAG"
mobsf-android-sast: mobsf-android-sast:
extends: .mobsf-sast extends: .mobsf-sast
@ -118,8 +119,7 @@ nodejs-scan-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/nodejs-scan:$[[ inputs.image_tag ]]"
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -134,8 +134,7 @@ phpcs-security-audit-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/phpcs-security-audit:$[[ inputs.image_tag ]]"
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -150,8 +149,7 @@ pmd-apex-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/pmd-apex:$[[ inputs.image_tag ]]"
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -166,8 +164,7 @@ security-code-scan-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: '3' SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/security-code-scan:$[[ inputs.image_tag ]]"
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -184,8 +181,7 @@ semgrep-sast:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SEARCH_MAX_DEPTH: 20 SEARCH_MAX_DEPTH: 20
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/semgrep:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/semgrep:$SAST_ANALYZER_IMAGE_TAG$[[ inputs.image_suffix ]]"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -211,8 +207,7 @@ sobelow-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/sobelow:$[[ inputs.image_tag ]]"
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/sobelow:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -227,8 +222,7 @@ spotbugs-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/spotbugs:$[[ inputs.image_tag ]]"
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /spotbugs/' - if: '"$[[ inputs.excluded_analyzers ]]" =~ /spotbugs/'
when: never when: never