From fb90f914d71c14b65a6366f9555c659463cc5023 Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Mon, 14 Apr 2025 17:01:13 -0400 Subject: [PATCH 01/14] Added KICS IaC Scanner to Readme and YAML --- README.md | 3 ++- templates/iac-kics-sast.yml | 47 +++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 templates/iac-kics-sast.yml diff --git a/README.md b/README.md index ca020ac..b1b8143 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,8 @@ keyword. ```yaml include: - - component: gitlab.com/components/sast/sast@ + - component: gitlab.com/components/sast/sast@ # To include SAST Scanning + - component: gitlab.com/components/sast/iac-kics-sast@ # To include IaC Scanning ``` where `` is the latest released tag or `main`. diff --git a/templates/iac-kics-sast.yml b/templates/iac-kics-sast.yml new file mode 100644 index 0000000..d570851 --- /dev/null +++ b/templates/iac-kics-sast.yml @@ -0,0 +1,47 @@ +# Component created based on GitLab's IAC SAST Scanning template +# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/ + +spec: + inputs: + stage: + default: test + excluded_paths: + default: "spec, test, tests, tmp" + excluded_analyzers: + default "" + image_prefix: + default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" + image_suffix: + default: "" + search_max_depth: + default: 4 + image_tag: + default: 5 + +--- +iac-sast: + stage: $[[ inputs.stage ]] + artifacts: + access: 'developer' + reports: + sast: gl-sast-report.json + rules: + - when: never + # `rules` must be overridden explicitly by each child job + # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444 + variables: + SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] + allow_failure: true + script: + - /analyzer run + +kics-iac-sast: + extends: iac-sast + image: + name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" + rules: + - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1' + when: never + - if: $[[ inputs.excluded_analyzers ]] =~ /kics/ + when: never + - if: $CI_COMMIT_BRANCH From f09ec4e3de85cfe1cd8a0eb6c1ea1b666bdcb10f Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Wed, 14 May 2025 08:36:25 -0400 Subject: [PATCH 02/14] Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Julian Thome --- templates/iac-kics-sast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/iac-kics-sast.yml b/templates/iac-kics-sast.yml index d570851..ab347cf 100644 --- a/templates/iac-kics-sast.yml +++ b/templates/iac-kics-sast.yml @@ -8,7 +8,7 @@ spec: excluded_paths: default: "spec, test, tests, tmp" excluded_analyzers: - default "" + default: "" image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" image_suffix: From 7626afb52028e74f561a52f2d2612890a02c2b5a Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Wed, 14 May 2025 08:45:50 -0400 Subject: [PATCH 03/14] image tag to 6 and replacing image prefix/suffix with simple image --- templates/iac-kics-sast.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/templates/iac-kics-sast.yml b/templates/iac-kics-sast.yml index ab347cf..3835b33 100644 --- a/templates/iac-kics-sast.yml +++ b/templates/iac-kics-sast.yml @@ -9,14 +9,12 @@ spec: default: "spec, test, tests, tmp" excluded_analyzers: default: "" - image_prefix: + analyzer_image: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" - image_suffix: - default: "" search_max_depth: default: 4 image_tag: - default: 5 + default: 6 --- iac-sast: @@ -38,7 +36,7 @@ iac-sast: kics-iac-sast: extends: iac-sast image: - name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" + name: "$[[ inputs.analyzer_image ]]/kics:$[[ inputs.image_tag ]]" rules: - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1' when: never From 2a492122e246b890b4ec07988800a55acffc4055 Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Tue, 20 May 2025 22:03:35 -0400 Subject: [PATCH 04/14] Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Adam Cohen --- templates/iac-kics-sast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/iac-kics-sast.yml b/templates/iac-kics-sast.yml index 3835b33..a07a2a8 100644 --- a/templates/iac-kics-sast.yml +++ b/templates/iac-kics-sast.yml @@ -9,7 +9,7 @@ spec: default: "spec, test, tests, tmp" excluded_analyzers: default: "" - analyzer_image: + image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" search_max_depth: default: 4 From cf87e0da3836769907be5418e450652f382849a7 Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Tue, 20 May 2025 22:04:22 -0400 Subject: [PATCH 05/14] Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Adam Cohen --- templates/iac-kics-sast.yml | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/templates/iac-kics-sast.yml b/templates/iac-kics-sast.yml index a07a2a8..45302c6 100644 --- a/templates/iac-kics-sast.yml +++ b/templates/iac-kics-sast.yml @@ -17,26 +17,19 @@ spec: default: 6 --- -iac-sast: +kics-iac-sast: stage: $[[ inputs.stage ]] + image: + name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" + variables: + SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] + script: + - /analyzer run artifacts: access: 'developer' reports: sast: gl-sast-report.json - rules: - - when: never - # `rules` must be overridden explicitly by each child job - # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444 - variables: - SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] allow_failure: true - script: - - /analyzer run - -kics-iac-sast: - extends: iac-sast - image: - name: "$[[ inputs.analyzer_image ]]/kics:$[[ inputs.image_tag ]]" rules: - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1' when: never From 40ec68512df97291991e97e5dcf304accb78387f Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Tue, 20 May 2025 22:10:19 -0400 Subject: [PATCH 06/14] adding image suffix to keep inputs whole --- templates/iac-kics-sast.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/iac-kics-sast.yml b/templates/iac-kics-sast.yml index 45302c6..ff6e530 100644 --- a/templates/iac-kics-sast.yml +++ b/templates/iac-kics-sast.yml @@ -11,6 +11,8 @@ spec: default: "" image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" + image_suffix: + dafault: "" search_max_depth: default: 4 image_tag: From f1b9a6d963f970d5332ce745805d24229dee66af Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Mon, 26 May 2025 12:05:24 -0400 Subject: [PATCH 07/14] renamed iac-sast file, removed disabled flag. Added more description in readme and adjusted table for SAST and IaC --- README.md | 34 ++++++++++--------- templates/{iac-kics-sast.yml => iac-sast.yml} | 2 -- 2 files changed, 18 insertions(+), 18 deletions(-) rename templates/{iac-kics-sast.yml => iac-sast.yml} (93%) diff --git a/README.md b/README.md index b1b8143..994a4ef 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,11 @@ # SAST (Static Application Security Testing) -Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/ +This project provides componnets for the use of Static Application Security Testing as well as Infrastructure as Code testing. Configuration for either component may be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/). + +More information about GitLab SAST is available within GitLab documentation (https://docs.gitlab.com/ee/user/application_security/sast/), along with the available variables (https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables). + +More information about GitLab Infrastructure as Code scanning is available within GitLab documentation (https://docs.gitlab.com/user/application_security/iac_scanning/). -Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html). -List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables ## Usage @@ -13,7 +15,7 @@ keyword. ```yaml include: - component: gitlab.com/components/sast/sast@ # To include SAST Scanning - - component: gitlab.com/components/sast/iac-kics-sast@ # To include IaC Scanning + - component: gitlab.com/components/sast/iac-sast@ # To include IaC Scanning ``` where `` is the latest released tag or `main`. @@ -35,18 +37,18 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit ### Inputs -| Input | Default value | Description | -| ----- | ------------- | ----------- | -| `stage` | `test` | The stage where you want the job to be added | -| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | -| `image_tag` | `4` | Tag of the Docker image to use | -| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | -| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | -| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | -| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | -| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | -| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ] -| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | +| Input | Default value | Description | SAST | IaC | +| ----- | ------------- | ----------- | ---- | --- | +| `stage` | `test` | The stage where you want the job to be added | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | +| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | +| `image_tag` | `4` | Tag of the Docker image to use | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | +| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes, no FIPS support for IaC | +| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No | +| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | +| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | +| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No | +| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No | +| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No | ## Contribute diff --git a/templates/iac-kics-sast.yml b/templates/iac-sast.yml similarity index 93% rename from templates/iac-kics-sast.yml rename to templates/iac-sast.yml index ff6e530..d657763 100644 --- a/templates/iac-kics-sast.yml +++ b/templates/iac-sast.yml @@ -33,8 +33,6 @@ kics-iac-sast: sast: gl-sast-report.json allow_failure: true rules: - - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1' - when: never - if: $[[ inputs.excluded_analyzers ]] =~ /kics/ when: never - if: $CI_COMMIT_BRANCH From fc17b60e0ec5023a7a6e062fc422e2ee729bd5fa Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Mon, 26 May 2025 12:50:52 -0400 Subject: [PATCH 08/14] fixing checkboxes in table --- README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 994a4ef..34dd66a 100644 --- a/README.md +++ b/README.md @@ -39,16 +39,16 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit | Input | Default value | Description | SAST | IaC | | ----- | ------------- | ----------- | ---- | --- | -| `stage` | `test` | The stage where you want the job to be added | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | -| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | -| `image_tag` | `4` | Tag of the Docker image to use | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | -| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes, no FIPS support for IaC | -| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No | -| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | -| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | -| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No | -| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No | -| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No | +| `stage` | `test` | The stage where you want the job to be added | :heavy_check_mark: Yes | :heavy_check_mark: Yes | +| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | :heavy_check_mark: Yes | :heavy_check_mark: Yes | +| `image_tag` | `4` | Tag of the Docker image to use | :heavy_check_mark: Yes | :heavy_check_mark: Yes | +| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | :heavy_check_mark: Yes | :heavy_check_mark: Yes, no FIPS support for IaC | +| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | :heavy_check_mark: Yes | :white_check_mark: No | +| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | :heavy_check_mark: Yes | :heavy_check_mark: Yes | +| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | :heavy_check_mark: Yes | :heavy_check_mark: Yes | +| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | :heavy_check_mark: Yes | :white_check_mark: No | +| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | :heavy_check_mark: Yes | :white_check_mark: No | +| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | :heavy_check_mark: Yes | :white_check_mark: No | ## Contribute From 77c1b8212839a67b14a20530f6946bdc642b8eea Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Mon, 26 May 2025 12:53:30 -0400 Subject: [PATCH 09/14] another table format --- README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 34dd66a..3a1feb7 100644 --- a/README.md +++ b/README.md @@ -39,16 +39,16 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit | Input | Default value | Description | SAST | IaC | | ----- | ------------- | ----------- | ---- | --- | -| `stage` | `test` | The stage where you want the job to be added | :heavy_check_mark: Yes | :heavy_check_mark: Yes | -| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | :heavy_check_mark: Yes | :heavy_check_mark: Yes | -| `image_tag` | `4` | Tag of the Docker image to use | :heavy_check_mark: Yes | :heavy_check_mark: Yes | -| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | :heavy_check_mark: Yes | :heavy_check_mark: Yes, no FIPS support for IaC | -| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | :heavy_check_mark: Yes | :white_check_mark: No | -| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | :heavy_check_mark: Yes | :heavy_check_mark: Yes | -| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | :heavy_check_mark: Yes | :heavy_check_mark: Yes | -| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | :heavy_check_mark: Yes | :white_check_mark: No | -| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | :heavy_check_mark: Yes | :white_check_mark: No | -| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | :heavy_check_mark: Yes | :white_check_mark: No | +| `stage` | `test` | The stage where you want the job to be added | :white_check_mark: Yes | :white_check_mark: Yes | +| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | :white_check_mark: Yes | :white_check_mark: Yes | +| `image_tag` | `4` | Tag of the Docker image to use | :white_check_mark: Yes | :white_check_mark: Yes | +| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | :white_check_mark: Yes | :white_check_mark: Yes, no FIPS support for IaC | +| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | :white_check_mark: Yes | :x: No | +| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | :white_check_mark: Yes | :white_check_mark:Yes | +| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | :white_check_mark: Yes | :white_check_mark: Yes | +| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | :white_check_mark: Yes | :x: No | +| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | :white_check_mark: Yes | :x: No | +| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | :white_check_mark: Yes | :x: No | ## Contribute From 81caeb7959d0ff238df68ea3f4c36cbab8b44f1f Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Mon, 26 May 2025 12:54:10 -0400 Subject: [PATCH 10/14] fix typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3a1feb7..f49a247 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit | `image_tag` | `4` | Tag of the Docker image to use | :white_check_mark: Yes | :white_check_mark: Yes | | `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | :white_check_mark: Yes | :white_check_mark: Yes, no FIPS support for IaC | | `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | :white_check_mark: Yes | :x: No | -| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | :white_check_mark: Yes | :white_check_mark:Yes | +| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | :white_check_mark: Yes | :white_check_mark: Yes | | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | :white_check_mark: Yes | :white_check_mark: Yes | | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | :white_check_mark: Yes | :x: No | | `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | :white_check_mark: Yes | :x: No | From ef1a1d6cd5ece26b23a41cc79a50c786dd62d2cb Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Tue, 27 May 2025 22:55:51 -0400 Subject: [PATCH 11/14] component separation --- README.md | 74 +++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 55 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index f49a247..9743638 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,17 @@ -# SAST (Static Application Security Testing) -This project provides componnets for the use of Static Application Security Testing as well as Infrastructure as Code testing. Configuration for either component may be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/). +This project provides componnets for the use of Static Application Security Testing as well as Infrastructure as Code testing. + +[[_TOC_]] + +## Static Application Security Testing (SAST) + +### Documentation References + +Configuration for SAST can be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/). More information about GitLab SAST is available within GitLab documentation (https://docs.gitlab.com/ee/user/application_security/sast/), along with the available variables (https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables). -More information about GitLab Infrastructure as Code scanning is available within GitLab documentation (https://docs.gitlab.com/user/application_security/iac_scanning/). - - -## Usage +### Usage You should add this component to an existing `.gitlab-ci.yml` file by using the `include:` keyword. @@ -15,7 +19,6 @@ keyword. ```yaml include: - component: gitlab.com/components/sast/sast@ # To include SAST Scanning - - component: gitlab.com/components/sast/iac-sast@ # To include IaC Scanning ``` where `` is the latest released tag or `main`. @@ -37,18 +40,51 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit ### Inputs -| Input | Default value | Description | SAST | IaC | -| ----- | ------------- | ----------- | ---- | --- | -| `stage` | `test` | The stage where you want the job to be added | :white_check_mark: Yes | :white_check_mark: Yes | -| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | :white_check_mark: Yes | :white_check_mark: Yes | -| `image_tag` | `4` | Tag of the Docker image to use | :white_check_mark: Yes | :white_check_mark: Yes | -| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | :white_check_mark: Yes | :white_check_mark: Yes, no FIPS support for IaC | -| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | :white_check_mark: Yes | :x: No | -| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | :white_check_mark: Yes | :white_check_mark: Yes | -| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | :white_check_mark: Yes | :white_check_mark: Yes | -| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | :white_check_mark: Yes | :x: No | -| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | :white_check_mark: Yes | :x: No | -| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | :white_check_mark: Yes | :x: No | +| Input | Default value | Description | +| ----- | ------------- | ----------- | +| `stage` | `test` | The stage where you want the job to be added | +| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | +| `image_tag` | `4` | Tag of the Docker image to use | +| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | +| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | +| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | +| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | +| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | +| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | +| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | + +## Infrastructure as Code (IaC) Scanning + +### Documentation References + +Configuration for IaC scanning can be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/). + +More information about GitLab Infrastructure as Code scanning is available within GitLab documentation (https://docs.gitlab.com/user/application_security/iac_scanning/). + +### Usage + +You should add this component to an existing `.gitlab-ci.yml` file by using the `include:` +keyword. + +```yaml +include: + - component: gitlab.com/components/sast/kics-iac-sast@ # To include IaC Scanning +``` + +where `` is the latest released tag or `main`. + +### Inputs + +| Input | Default value | Description | +| ----- | ------------- | ----------- | +| `stage` | `test` | The stage where you want the job to be added | +| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | +| `image_tag` | `4` | Tag of the Docker image to use | +| `image_suffix` | `""` | Suffix added to image. | +| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | +| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | + + ## Contribute From 5ee8b4583a8db1ecefe34f4d966fe740c916bd6b Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Wed, 28 May 2025 07:59:28 -0400 Subject: [PATCH 12/14] incorporating suggestions for markdown links and nomenclature. --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 9743638..701de67 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ -This project provides componnets for the use of Static Application Security Testing as well as Infrastructure as Code testing. +This project provides components for the use of Static Application Security Testing as well as Infrastructure as Code scanning. [[_TOC_]] @@ -7,9 +7,9 @@ This project provides componnets for the use of Static Application Security Test ### Documentation References -Configuration for SAST can be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/). +Configuration for SAST can be performed through [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of [Inputs](https://docs.gitlab.com/ci/inputs/). -More information about GitLab SAST is available within GitLab documentation (https://docs.gitlab.com/ee/user/application_security/sast/), along with the available variables (https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables). +More information about GitLab SAST is available within [GitLab documentation](https://docs.gitlab.com/ee/user/application_security/sast/), along with the [available variables](https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables). ### Usage From 04681f8725a31abd256d9a9e063f877568f0fe08 Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Wed, 28 May 2025 08:02:21 -0400 Subject: [PATCH 13/14] additional markdown and cleanup --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 701de67..337eb89 100644 --- a/README.md +++ b/README.md @@ -57,9 +57,9 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit ### Documentation References -Configuration for IaC scanning can be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/). +Configuration for IaC scanning can be performed through [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of [Inputs](https://docs.gitlab.com/ci/inputs/). -More information about GitLab Infrastructure as Code scanning is available within GitLab documentation (https://docs.gitlab.com/user/application_security/iac_scanning/). +More information about GitLab Infrastructure as Code scanning is available within [GitLab documentation](https://docs.gitlab.com/user/application_security/iac_scanning/). ### Usage @@ -68,7 +68,7 @@ keyword. ```yaml include: - - component: gitlab.com/components/sast/kics-iac-sast@ # To include IaC Scanning + - component: gitlab.com/components/sast/iac-sast@ # To include IaC Scanning ``` where `` is the latest released tag or `main`. @@ -79,7 +79,7 @@ where `` is the latest released tag or `main`. | ----- | ------------- | ----------- | | `stage` | `test` | The stage where you want the job to be added | | `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | -| `image_tag` | `4` | Tag of the Docker image to use | +| `image_tag` | `6` | Tag of the Docker image to use | | `image_suffix` | `""` | Suffix added to image. | | `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | From 32b811c5ad1e898df31aa949a8fc3994ded5b5ec Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Wed, 28 May 2025 08:31:14 -0400 Subject: [PATCH 14/14] cleanup --- README.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 337eb89..c6a0302 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ keyword. ```yaml include: - - component: gitlab.com/components/sast/sast@ # To include SAST Scanning + - component: gitlab.com/components/sast/sast@ ``` where `` is the latest released tag or `main`. @@ -68,7 +68,7 @@ keyword. ```yaml include: - - component: gitlab.com/components/sast/iac-sast@ # To include IaC Scanning + - component: gitlab.com/components/sast/iac-sast@ ``` where `` is the latest released tag or `main`. @@ -84,8 +84,6 @@ where `` is the latest released tag or `main`. | `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | - - ## Contribute Please read about CI/CD components and best practices at: https://docs.gitlab.com/ee/ci/components