Merge branch 'mweston4-main-patch-1618' into 'main'

Allow Use of Pre-Compilation with SpotBugs Analyzer See merge request components/sast!28
2025-06-30 07:28:29 +02:00 · 2025-06-03 20:42:56 +00:00 · 2025-06-03 20:42:56 +00:00 · 9ac9ee74a0
commit 9ac9ee74a0
parent 3f2b327a85 cc19beb6b6
1 changed files with 28 additions and 1 deletions
--- a/templates/sast.yml
+++ b/templates/sast.yml
@ -24,9 +24,26 @@ spec:
    ff_glas_enable_php_support:
      default: true
      type: boolean
+    use_precompiled_artifacts:
+      description: Identifies whether pre-compiled artifacts will be provided or if compilation is required.
+      default: false
+      type: boolean
+    sast_dependencies:
+      description: The dependant jobs to wait for before running SAST jobs.
+      default: []
+      type: array
+    runner_tags:
+      description: The tags to apply to SAST jobs so they can be picked up by an appropriate GitLab runner
+      default: []
+      type: array
+    sast_java_version:
+      description: The Java version used by the SAST analyzer
+      default: 21
+      type: integer
 ---
 .sast-analyzer:
  stage: $[[ inputs.stage ]]
+  tags: $[[ inputs.runner_tags ]]
  allow_failure: true
  # these variables are used by the analyzer
  # TODO: propagate inputs when breaking down into separate components
@ -35,6 +52,9 @@ spec:
    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
    DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]]
    SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS"
+    COMPILE: $[[ inputs.use_precompiled_artifacts ]]
+    SAST_JAVA_VERSION: $[[ inputs.sast_java_version | expand_vars ]]
+  dependencies: $[[ inputs.sast_dependencies ]]
  script:
    - /analyzer run
  artifacts:
@ -141,6 +161,9 @@ gitlab-advanced-sast:
      when: never
    - if: '"$[[ inputs.run_advanced_sast ]]" != "true"'
      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/
+      exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/
      exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
@ -158,6 +181,7 @@ kubesec-sast:
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/'
      when: never
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && "$[[ inputs.run_kubesec_sast ]]" == "true"'
    - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"'

 mobsf-android-sast:
@ -225,6 +249,8 @@ semgrep-sast:
          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
          "$[[ inputs.run_advanced_sast ]]" == "true"'
      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      exists: !reference [.semgrep-exist-rules, exists]
      # Default case - run for all supported files
    - if: $CI_COMMIT_BRANCH
      exists: !reference [.semgrep-exist-rules, exists]
@ -251,6 +277,7 @@ spotbugs-sast:
      exists:
        - '**/AndroidManifest.xml'
      when: never
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/*.groovy'