From c06a78445cb21ecd046aa4bf14024d21818f05fc Mon Sep 17 00:00:00 2001 From: Melissa Beldman Date: Tue, 3 Jun 2025 16:25:47 +0000 Subject: [PATCH] Update file sast.yml --- templates/sast.yml | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/templates/sast.yml b/templates/sast.yml index 64e7743..850aeb0 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -21,6 +21,9 @@ spec: type: boolean include_experimental: default: 'false' + enable_mr_pipelines: + default: false + type: boolean ff_glas_enable_php_support: default: true type: boolean @@ -122,6 +125,10 @@ spec: - '**/application*.yaml' - '**/bootstrap*.yaml' +.pmd-apex-exist-rules: + exists: + - '**/*.cls' + gitlab-advanced-sast: extends: .sast-analyzer image: @@ -179,9 +186,23 @@ pmd-apex-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/' when: never + + # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline* + # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3 + # to cover both the *MR pipeline* and the *branch pipeline* workflows. + + # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request. + - if: '$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_PIPELINE_SOURCE == "merge_request_event"' + exists: !reference [.pmd-apex-exist-rules, exists] + + # 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request. + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_OPEN_MERGE_REQUESTS' + when: never + # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch). - if: $CI_COMMIT_BRANCH - exists: - - '**/*.cls' + exists: !reference [.pmd-apex-exist-rules, exists] security-code-scan-sast: extends: .sast-analyzer