vor/sast
1
0
Fork 0
mirror of https://gitlab.com/components/sast.git synced 2025-06-30 15:38:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Replace excluded analyzers var with input

Browse source
This commit is contained in:
Fabio Pitino 2023-05-03 10:42:29 +01:00
parent 38164ad9f1
commit 8956444fcb
2 changed files with 15 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

1
README.md
View file

@ -24,3 +24,4 @@ where `<VERSION>` is the latest released tag or `main`.
| `stage` | `test` | The stage where you want the job to be added | | `stage` | `test` | The stage where you want the job to be added |
| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | | `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from |
| `image_suffix` | `""` | Used by `semgrep-sast` job only | | `image_suffix` | `""` | Used by `semgrep-sast` job only |
| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run |

27
template.yml
View file

@ -6,6 +6,8 @@ spec:
default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
image_suffix: image_suffix:
default: "" default: ""
excluded_analyzers:
default: ""
--- ---
.sast-analyzer: .sast-analyzer:
@ -15,7 +17,6 @@ spec:
# see https://gitlab.com/gitlab-org/gitlab/-/issues/218444 # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
variables: variables:
SEARCH_MAX_DEPTH: 4 SEARCH_MAX_DEPTH: 4
SAST_EXCLUDED_ANALYZERS: ""
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
SCAN_KUBERNETES_MANIFESTS: "false" SCAN_KUBERNETES_MANIFESTS: "false"
script: script:
@ -34,7 +35,7 @@ brakeman-sast:
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /brakeman/ - if: '"$[ inputs.excluded_analyzers ]" =~ /brakeman/'
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
exists: exists:
@ -51,7 +52,7 @@ flawfinder-sast:
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /flawfinder/ - if: '"$[ inputs.excluded_analyzes ]" =~ /flawfinder/'
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
exists: exists:
@ -72,7 +73,7 @@ kubesec-sast:
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /kubesec/ - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/'
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SCAN_KUBERNETES_MANIFESTS == 'true' $SCAN_KUBERNETES_MANIFESTS == 'true'
@ -90,7 +91,7 @@ mobsf-android-sast:
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/ - if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/'
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_EXPERIMENTAL_FEATURES == 'true' $SAST_EXPERIMENTAL_FEATURES == 'true'
@ -103,7 +104,7 @@ mobsf-ios-sast:
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/ - if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/'
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_EXPERIMENTAL_FEATURES == 'true' $SAST_EXPERIMENTAL_FEATURES == 'true'
@ -121,7 +122,7 @@ nodejs-scan-sast:
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/ - if: '"$[[ inputs.excluded_analyzers ]]" =~ /nodejs-scan/'
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
exists: exists:
@ -137,7 +138,7 @@ phpcs-security-audit-sast:
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /phpcs-security-audit/ - if: '"$[[ inputs.excluded_analyzers ]]" =~ /phpcs-security-audit/'
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
exists: exists:
@ -153,7 +154,7 @@ pmd-apex-sast:
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /pmd-apex/ - if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/'
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
exists: exists:
@ -169,7 +170,7 @@ security-code-scan-sast:
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /security-code-scan/ - if: '"$[[ inputs.excluded_analyzers ]]" =~ /security-code-scan/'
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
exists: exists:
@ -187,7 +188,7 @@ semgrep-sast:
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/ - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
exists: exists:
@ -214,7 +215,7 @@ sobelow-sast:
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /sobelow/ - if: '"$[[ inputs.excluded_analyzers ]]" =~ /sobelow/'
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
exists: exists:
@ -228,7 +229,7 @@ spotbugs-sast:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/spotbugs:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_EXCLUDED_ANALYZERS =~ /spotbugs/ - if: '"$[[ inputs.excluded_analyzers ]]" =~ /spotbugs/'
when: never when: never
- if: $SAST_EXPERIMENTAL_FEATURES == 'true' - if: $SAST_EXPERIMENTAL_FEATURES == 'true'
exists: exists: