diff --git a/templates/sast.yml b/templates/sast.yml index 64e7743..ff0a562 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -24,6 +24,9 @@ spec: ff_glas_enable_php_support: default: true type: boolean + enable_mr_pipelines: + default: true + type: boolean --- .sast-analyzer: stage: $[[ inputs.stage ]] @@ -141,10 +144,26 @@ gitlab-advanced-sast: when: never - if: '"$[[ inputs.run_advanced_sast ]]" != "true"' when: never + + # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline* + # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3 + # to cover both the *MR pipeline* and the *branch pipeline* workflows. + + # 1. Run the job in an *MR* pipeline if MR pipelines are enabled and there's an open merge request. + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_PIPELINE_SOURCE == "merge_request_event" && + $GITLAB_FEATURES =~ /\bsast_advanced\b/' + exists: !reference [.gitlab-advanced-sast-exist-rules, exists] + # 2. Don't run the job in a *branch pipeline* if *MR pipelines* are enabled and there's an open merge request. + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_OPEN_MERGE_REQUESTS' + when: never + # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled, or it is enabled but no open MRs exist for the branch). - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast_advanced\b/ exists: !reference [.gitlab-advanced-sast-exist-rules, exists] + brakeman-sast: extends: .deprecated-16.8 @@ -158,7 +177,23 @@ kubesec-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/' when: never - - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"' + + # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline* + # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3 + # to cover both the *MR pipeline* and the *branch pipeline* workflows. + + # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request. + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_PIPELINE_SOURCE == "merge_request_event" && + "$[[ inputs.run_kubesec_sast ]]" == "true"' + # 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request. + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_OPEN_MERGE_REQUESTS' + when: never + # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch). + - if: '$CI_COMMIT_BRANCH && + "$[[ inputs.run_kubesec_sast ]]" == "true"' + mobsf-android-sast: extends: .deprecated-16.8 @@ -172,6 +207,10 @@ nodejs-scan-sast: phpcs-security-audit-sast: extends: .deprecated-16.8 +.pmd-apex-exist-rules: + exists: + - '**/*.cls' + pmd-apex-sast: extends: .sast-analyzer image: @@ -179,9 +218,23 @@ pmd-apex-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/' when: never + + # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline* + # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3 + # to cover both the *MR pipeline* and the *branch pipeline* workflows. + + # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request. + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_PIPELINE_SOURCE == "merge_request_event"' + exists: !reference [.pmd-apex-exist-rules, exists] + # 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request. + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_OPEN_MERGE_REQUESTS' + when: never + # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch). - if: $CI_COMMIT_BRANCH - exists: - - '**/*.cls' + exists: !reference [.pmd-apex-exist-rules, exists] + security-code-scan-sast: extends: .sast-analyzer @@ -201,6 +254,49 @@ semgrep-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/' when: never + + # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline* + # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3 + # to cover both the *MR pipeline* and the *branch pipeline* workflows. + + # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request. + # When gitlab-advanced-sast runs with PHP support enabled, exclude the `*.php` extension, as well as other files already scanned by gitlab-advanced-sast + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_PIPELINE_SOURCE == "merge_request_event" && + $GITLAB_FEATURES =~ /\bsast_advanced\b/ && + "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && + "$[[ inputs.run_advanced_sast ]]" == "true" && + "$[[ inputs.ff_glas_enable_php_support ]]" == "true"' + variables: + SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb, **/*.php" + exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists] + # When gitlab-advanced-sast runs but PHP support is disabled, exclude files already scanned by gitlab-advanced-sast + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_PIPELINE_SOURCE == "merge_request_event" && + $GITLAB_FEATURES =~ /\bsast_advanced\b/ && + "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && + "$[[ inputs.run_advanced_sast ]]" == "true" && + "$[[ inputs.ff_glas_enable_php_support ]]" != "true"' #TODO: Shouldnt this be disabled? + variables: + SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb" + exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists] + # Fallback when advanced SAST covers everything + - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && + $GITLAB_FEATURES =~ /\bsast_advanced\b/ && + "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && + "$[[ inputs.run_advanced_sast ]]" == "true"' + when: never + # Default case - run for all supported files + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_PIPELINE_SOURCE == "merge_request_event"' + exists: !reference [.semgrep-exist-rules, exists] + + # 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request. + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_OPEN_MERGE_REQUESTS' + when: never + + # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch). # When gitlab-advanced-sast runs with PHP support enabled, exclude the `*.php` extension, as well as other files already scanned by gitlab-advanced-sast - if: '$CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast_advanced\b/ && @@ -229,6 +325,10 @@ semgrep-sast: - if: $CI_COMMIT_BRANCH exists: !reference [.semgrep-exist-rules, exists] +.sobelow-exist-rules: + exists: + - '**/mix.exs' + sobelow-sast: extends: .sast-analyzer image: @@ -236,9 +336,27 @@ sobelow-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /sobelow/' when: never + + # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline* + # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3 + # to cover both the *MR pipeline* and the *branch pipeline* workflows. + + # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request. + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_PIPELINE_SOURCE == "merge_request_event"' + exists: !reference [.sobelow-exist-rules, exists] + # 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request. + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_OPEN_MERGE_REQUESTS' + when: never + # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch). - if: $CI_COMMIT_BRANCH - exists: - - '**/mix.exs' + exists: !reference [.sobelow-exist-rules, exists] + + +.spotbugs-exist-rules: + exists: + - '**/*.groovy' spotbugs-sast: extends: .sast-analyzer @@ -250,7 +368,20 @@ spotbugs-sast: - if: '"$[[ inputs.include_experimental ]]" == "true"' exists: - '**/AndroidManifest.xml' + when: never # TODO: Should this be never? + + # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline* + # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3 + # to cover both the *MR pipeline* and the *branch pipeline* workflows. + + # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request. + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_PIPELINE_SOURCE == "merge_request_event"' + exists: !reference [.spotbugs-exist-rules, exists] + # 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request. + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_OPEN_MERGE_REQUESTS' when: never + # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch). - if: $CI_COMMIT_BRANCH - exists: - - '**/*.groovy' + exists: !reference [.spotbugs-exist-rules, exists]