vor/sast
1
0
Fork 0
mirror of https://gitlab.com/components/sast.git synced 2025-06-30 15:38:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'iac-kics-sast' into 'main'

Browse source 
Added KICS IaC Scanner

See merge request components/sast!23
This commit is contained in:
Rob Jackson 2025-05-28 08:31:20 -04:00
commit 80aeead68f
2 changed files with 88 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

49
README.md
View file

@ -1,11 +1,17 @@
# SAST (Static Application Security Testing)
Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/ This project provides components for the use of Static Application Security Testing as well as Infrastructure as Code scanning.
Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html). [[_TOC_]]
List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables
## Usage ## Static Application Security Testing (SAST)
### Documentation References
Configuration for SAST can be performed through [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of [Inputs](https://docs.gitlab.com/ci/inputs/).
More information about GitLab SAST is available within [GitLab documentation](https://docs.gitlab.com/ee/user/application_security/sast/), along with the [available variables](https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables).
### Usage
You should add this component to an existing `.gitlab-ci.yml` file by using the `include:` You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
keyword. keyword.
@ -44,9 +50,40 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit
| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | | `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job |
| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ] | `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) |
| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | | `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) |
## Infrastructure as Code (IaC) Scanning
### Documentation References
Configuration for IaC scanning can be performed through [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of [Inputs](https://docs.gitlab.com/ci/inputs/).
More information about GitLab Infrastructure as Code scanning is available within [GitLab documentation](https://docs.gitlab.com/user/application_security/iac_scanning/).
### Usage
You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
keyword.
```yaml
include:
- component: gitlab.com/components/sast/iac-sast@<VERSION>
```
where `<VERSION>` is the latest released tag or `main`.
### Inputs
| Input | Default value | Description |
| ----- | ------------- | ----------- |
| `stage` | `test` | The stage where you want the job to be added |
| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from |
| `image_tag` | `6` | Tag of the Docker image to use |
| `image_suffix` | `""` | Suffix added to image. |
| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
## Contribute ## Contribute
Please read about CI/CD components and best practices at: https://docs.gitlab.com/ee/ci/components Please read about CI/CD components and best practices at: https://docs.gitlab.com/ee/ci/components

38
templates/iac-sast.yml Normal file
View file

@ -0,0 +1,38 @@
# Component created based on GitLab's IAC SAST Scanning template
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/
spec:
inputs:
stage:
default: test
excluded_paths:
default: "spec, test, tests, tmp"
excluded_analyzers:
default: ""
image_prefix:
default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
image_suffix:
dafault: ""
search_max_depth:
default: 4
image_tag:
default: 6
---
kics-iac-sast:
stage: $[[ inputs.stage ]]
image:
name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
variables:
SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
script:
- /analyzer run
artifacts:
access: 'developer'
reports:
sast: gl-sast-report.json
allow_failure: true
rules:
- if: $[[ inputs.excluded_analyzers ]] =~ /kics/
when: never
- if: $CI_COMMIT_BRANCH