diff --git a/README.md b/README.md index 3bfb335..8b2ff68 100644 --- a/README.md +++ b/README.md @@ -24,3 +24,4 @@ where `` is the latest released tag or `main`. | `stage` | `test` | The stage where you want the job to be added | | `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | | `image_suffix` | `""` | Used by `semgrep-sast` job only | +| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | diff --git a/template.yml b/template.yml index 8d22202..ab80d48 100644 --- a/template.yml +++ b/template.yml @@ -6,6 +6,8 @@ spec: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" image_suffix: default: "" + excluded_analyzers: + default: "" --- .sast-analyzer: @@ -15,7 +17,6 @@ spec: # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444 variables: SEARCH_MAX_DEPTH: 4 - SAST_EXCLUDED_ANALYZERS: "" SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" SCAN_KUBERNETES_MANIFESTS: "false" script: @@ -34,7 +35,7 @@ brakeman-sast: rules: - if: $SAST_DISABLED when: never - - if: $SAST_EXCLUDED_ANALYZERS =~ /brakeman/ + - if: '"$[ inputs.excluded_analyzers ]" =~ /brakeman/' when: never - if: $CI_COMMIT_BRANCH exists: @@ -51,7 +52,7 @@ flawfinder-sast: rules: - if: $SAST_DISABLED when: never - - if: $SAST_EXCLUDED_ANALYZERS =~ /flawfinder/ + - if: '"$[ inputs.excluded_analyzes ]" =~ /flawfinder/' when: never - if: $CI_COMMIT_BRANCH exists: @@ -72,7 +73,7 @@ kubesec-sast: rules: - if: $SAST_DISABLED when: never - - if: $SAST_EXCLUDED_ANALYZERS =~ /kubesec/ + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/' when: never - if: $CI_COMMIT_BRANCH && $SCAN_KUBERNETES_MANIFESTS == 'true' @@ -90,7 +91,7 @@ mobsf-android-sast: rules: - if: $SAST_DISABLED when: never - - if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/ + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/' when: never - if: $CI_COMMIT_BRANCH && $SAST_EXPERIMENTAL_FEATURES == 'true' @@ -103,7 +104,7 @@ mobsf-ios-sast: rules: - if: $SAST_DISABLED when: never - - if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/ + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/' when: never - if: $CI_COMMIT_BRANCH && $SAST_EXPERIMENTAL_FEATURES == 'true' @@ -121,7 +122,7 @@ nodejs-scan-sast: rules: - if: $SAST_DISABLED when: never - - if: $SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/ + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /nodejs-scan/' when: never - if: $CI_COMMIT_BRANCH exists: @@ -137,7 +138,7 @@ phpcs-security-audit-sast: rules: - if: $SAST_DISABLED when: never - - if: $SAST_EXCLUDED_ANALYZERS =~ /phpcs-security-audit/ + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /phpcs-security-audit/' when: never - if: $CI_COMMIT_BRANCH exists: @@ -153,7 +154,7 @@ pmd-apex-sast: rules: - if: $SAST_DISABLED when: never - - if: $SAST_EXCLUDED_ANALYZERS =~ /pmd-apex/ + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/' when: never - if: $CI_COMMIT_BRANCH exists: @@ -169,7 +170,7 @@ security-code-scan-sast: rules: - if: $SAST_DISABLED when: never - - if: $SAST_EXCLUDED_ANALYZERS =~ /security-code-scan/ + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /security-code-scan/' when: never - if: $CI_COMMIT_BRANCH exists: @@ -187,7 +188,7 @@ semgrep-sast: rules: - if: $SAST_DISABLED when: never - - if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/ + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/' when: never - if: $CI_COMMIT_BRANCH exists: @@ -214,7 +215,7 @@ sobelow-sast: rules: - if: $SAST_DISABLED when: never - - if: $SAST_EXCLUDED_ANALYZERS =~ /sobelow/ + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /sobelow/' when: never - if: $CI_COMMIT_BRANCH exists: @@ -228,7 +229,7 @@ spotbugs-sast: SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/spotbugs:$SAST_ANALYZER_IMAGE_TAG" rules: - - if: $SAST_EXCLUDED_ANALYZERS =~ /spotbugs/ + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /spotbugs/' when: never - if: $SAST_EXPERIMENTAL_FEATURES == 'true' exists: