Migrate to new components directory structure

2025-06-30 07:28:29 +02:00 · 2023-11-07 12:32:34 +00:00 · 2023-11-07 12:32:34 +00:00 · c122fdb255
commit c122fdb255
parent 9476570e75
3 changed files with 3 additions and 3 deletions
--- a/templates/all-jobs.yml
+++ b/templates/all-jobs.yml
@ -0,0 +1,194 @@
+spec:
+  inputs:
+    stage:
+      default: test
+    image_prefix:
+      default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
+    image_tag:
+      default: '4'
+    image_suffix:
+      default: ""
+    excluded_analyzers:
+      default: ""
+    excluded_paths:
+      default: "spec, test, tests, tmp"
+    search_max_depth:
+      default: '4'
+    run_kubesec_sast:
+      default: 'false'
+    include_experimental:
+      default: 'false'
+---
+.sast-analyzer:
+  stage: $[[ inputs.stage ]]
+  allow_failure: true
+  # these variables are used by the analyzer
+  # TODO: propagate inputs when breaking down into separate components
+  # E.g. SEARCH_MAX_DEPTH is overridden in some analyzers. We should pass the input instead.
+  variables:
+    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
+    SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]]
+  script:
+    - /analyzer run
+  artifacts:
+    reports:
+      sast: gl-sast-report.json
+
+brakeman-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$[[ inputs.image_prefix ]]/brakeman:$[[ inputs.image_tag ]]"
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /brakeman/'
+      when: never
+    - if: $CI_COMMIT_BRANCH
+      exists:
+        - '**/*.rb'
+        - '**/Gemfile'
+
+flawfinder-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$[[ inputs.image_prefix ]]/flawfinder:$[[ inputs.image_tag ]]"
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /flawfinder/'
+      when: never
+    - if: $CI_COMMIT_BRANCH
+      exists:
+        - '**/*.c'
+        - '**/*.cc'
+        - '**/*.cpp'
+        - '**/*.c++'
+        - '**/*.cp'
+        - '**/*.cxx'
+
+kubesec-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$[[ inputs.image_prefix ]]/kubesec:$[[ inputs.image_tag ]]"
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/'
+      when: never
+    - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"'
+
+.mobsf-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$[[ inputs.image_prefix ]]/mobsf:$[[ inputs.image_tag ]]"
+
+mobsf-android-sast:
+  extends: .mobsf-sast
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/'
+      when: never
+    - if: '$CI_COMMIT_BRANCH && "$[[ inputs.include_experimental ]]" == "true"'
+      exists:
+        - '**/*.apk'
+        - '**/AndroidManifest.xml'
+
+mobsf-ios-sast:
+  extends: .mobsf-sast
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/'
+      when: never
+    - if: '$CI_COMMIT_BRANCH && "$[[ inputs.include_experimental ]]" == "true"'
+      exists:
+        - '**/*.ipa'
+        - '**/*.xcodeproj/*'
+
+nodejs-scan-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$[[ inputs.image_prefix ]]/nodejs-scan:$[[ inputs.image_tag ]]"
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /nodejs-scan/'
+      when: never
+    - if: $CI_COMMIT_BRANCH
+      exists:
+        - '**/package.json'
+
+phpcs-security-audit-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$[[ inputs.image_prefix ]]/phpcs-security-audit:$[[ inputs.image_tag ]]"
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /phpcs-security-audit/'
+      when: never
+    - if: $CI_COMMIT_BRANCH
+      exists:
+        - '**/*.php'
+
+pmd-apex-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$[[ inputs.image_prefix ]]/pmd-apex:$[[ inputs.image_tag ]]"
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/'
+      when: never
+    - if: $CI_COMMIT_BRANCH
+      exists:
+        - '**/*.cls'
+
+security-code-scan-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$[[ inputs.image_prefix ]]/security-code-scan:$[[ inputs.image_tag ]]"
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /security-code-scan/'
+      when: never
+    - if: $CI_COMMIT_BRANCH
+      exists:
+        - '**/*.csproj'
+        - '**/*.vbproj'
+
+semgrep-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$[[ inputs.image_prefix ]]/semgrep:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
+  variables:
+    SEARCH_MAX_DEPTH: 20
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
+      when: never
+    - if: $CI_COMMIT_BRANCH
+      exists:
+        - '**/*.py'
+        - '**/*.js'
+        - '**/*.jsx'
+        - '**/*.ts'
+        - '**/*.tsx'
+        - '**/*.c'
+        - '**/*.go'
+        - '**/*.java'
+        - '**/*.cs'
+        - '**/*.html'
+        - '**/*.scala'
+        - '**/*.sc'
+
+sobelow-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$[[ inputs.image_prefix ]]/sobelow:$[[ inputs.image_tag ]]"
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /sobelow/'
+      when: never
+    - if: $CI_COMMIT_BRANCH
+      exists:
+        - '**/mix.exs'
+
+spotbugs-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$[[ inputs.image_prefix ]]/spotbugs:$[[ inputs.image_tag ]]"
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /spotbugs/'
+      when: never
+    - if: '"$[[ inputs.include_experimental ]]" == "true"'
+      exists:
+        - '**/AndroidManifest.xml'
+      when: never
+    - if: $CI_COMMIT_BRANCH
+      exists:
+        - '**/*.groovy'
+        - '**/*.scala'
+        - '**/*.kt'