Merge branch 'iac-kics-sast' into 'main'

Added KICS IaC Scanner See merge request components/sast!23
2025-06-30 07:28:29 +02:00 · 2025-05-28 22:44:48 +10:00 · 2025-05-28 22:44:48 +10:00 · 8c3e0d154d
commit 8c3e0d154d
parent 5758da0696 ab29b14503
2 changed files with 88 additions and 13 deletions
--- a/README.md
+++ b/README.md
@ -1,11 +1,17 @@
-# SAST (Static Application Security Testing)

-Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/
+This project provides components for the use of Static Application Security Testing as well as Infrastructure as Code scanning. 

-Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
-List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables
+[[_TOC_]]

-## Usage
+## Static Application Security Testing (SAST)
+
+### Documentation References
+
+Configuration for SAST can be performed through [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of [Inputs](https://docs.gitlab.com/ci/inputs/). 
+
+More information about GitLab SAST is available within [GitLab documentation](https://docs.gitlab.com/ee/user/application_security/sast/), along with the [available variables](https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables).
+
+### Usage

 You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
 keyword.
@ -44,9 +50,40 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit
 | `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | 
 | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
 | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job  |
-| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ]
+| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | 
 | `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | 

+## Infrastructure as Code (IaC) Scanning
+
+### Documentation References
+
+Configuration for IaC scanning can be performed through [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of [Inputs](https://docs.gitlab.com/ci/inputs/). 
+
+More information about GitLab Infrastructure as Code scanning is available within [GitLab documentation](https://docs.gitlab.com/user/application_security/iac_scanning/). 
+
+### Usage
+
+You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
+keyword.
+
+```yaml
+include:
+  - component: gitlab.com/components/sast/iac-sast@<VERSION>
+```
+
+where `<VERSION>` is the latest released tag or `main`.
+
+### Inputs
+
+| Input | Default value | Description |
+| ----- | ------------- | ----------- | 
+| `stage` | `test`      | The stage where you want the job to be added | 
+| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | 
+| `image_tag` | `6` | Tag of the Docker image to use | 
+| `image_suffix` | `""` | Suffix added to image. |
+| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
+| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
+
 ## Contribute

 Please read about CI/CD components and best practices at: https://docs.gitlab.com/ee/ci/components 
--- a/templates/iac-sast.yml
+++ b/templates/iac-sast.yml
@ -0,0 +1,38 @@
+# Component created based on GitLab's IAC SAST Scanning template
+# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/
+
+spec:
+    inputs:
+        stage:
+            default: test
+        excluded_paths:
+            default: "spec, test, tests, tmp"
+        excluded_analyzers:
+            default: ""
+        image_prefix:
+            default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
+        image_suffix:
+            dafault: ""
+        search_max_depth:
+            default: 4
+        image_tag:
+            default: 6
+
+---
+kics-iac-sast:
+  stage: $[[ inputs.stage ]]
+  image:
+    name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
+  variables:
+    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
+  script:
+    - /analyzer run
+  artifacts:
+    access: 'developer'
+    reports:
+      sast: gl-sast-report.json
+  allow_failure: true
+  rules:
+    - if: $[[ inputs.excluded_analyzers ]] =~ /kics/
+      when: never
+    - if: $CI_COMMIT_BRANCH