vor/sast
1
0
Fork 0
mirror of https://gitlab.com/components/sast.git synced 2025-06-30 15:38:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove variable SAST_DISABLED

Browse source
This commit is contained in:
Fabio Pitino 2023-05-03 11:41:24 +01:00
parent c0cc714dce
commit e94915c35f
2 changed files with 10 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

21
README.md
View file

@ -17,6 +17,16 @@ include:
where `<VERSION>` is the latest released tag or `main`. where `<VERSION>` is the latest released tag or `main`.
If you want to leverage the `$SAST_DISABLED` variable to define or not the jobs conditionally use `include:rules`.
Otherwise all SAST jobs will always run when applicable:
```yaml
include:
- component: gitlab.com/gitlab-components/sast@main
rules:
- if: $SAST_DISABLED != "true"
```
### Inputs ### Inputs
| Input | Default value | Description | | Input | Default value | Description |
@ -34,16 +44,5 @@ where `<VERSION>` is the latest released tag or `main`.
| Variable | Default value | Description | | Variable | Default value | Description |
| -------- | ------------- | ----------- | | -------- | ------------- | ----------- |
| `SAST_DISABLED` | not set | Set to `true` to avoid running any SAST jobs |
### ToDos ### ToDos
- Move the use of `SAST_DISABLED` to the `include:`
```yaml
include:
- component: gitlab.com/gitlab-components/sast@main
inputs: { ... }
rules:
- if: $SAST_DISABLED != "true"
```

24
template.yml
View file

@ -37,8 +37,6 @@ brakeman-sast:
image: image:
name: "$[[ inputs.image_prefix ]]/brakeman:$[[ inputs.image_tag ]]" name: "$[[ inputs.image_prefix ]]/brakeman:$[[ inputs.image_tag ]]"
rules: rules:
- if: $SAST_DISABLED
when: never
- if: '"$[ inputs.excluded_analyzers ]" =~ /brakeman/' - if: '"$[ inputs.excluded_analyzers ]" =~ /brakeman/'
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
@ -51,8 +49,6 @@ flawfinder-sast:
image: image:
name: "$[[ inputs.image_prefix ]]/flawfinder:$[[ inputs.image_tag ]]" name: "$[[ inputs.image_prefix ]]/flawfinder:$[[ inputs.image_tag ]]"
rules: rules:
- if: $SAST_DISABLED
when: never
- if: '"$[ inputs.excluded_analyzes ]" =~ /flawfinder/' - if: '"$[ inputs.excluded_analyzes ]" =~ /flawfinder/'
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
@ -69,8 +65,6 @@ kubesec-sast:
image: image:
name: "$[[ inputs.image_prefix ]]/kubesec:$[[ inputs.image_tag ]]" name: "$[[ inputs.image_prefix ]]/kubesec:$[[ inputs.image_tag ]]"
rules: rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/' - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/'
when: never when: never
- if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"' - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"'
@ -83,8 +77,6 @@ kubesec-sast:
mobsf-android-sast: mobsf-android-sast:
extends: .mobsf-sast extends: .mobsf-sast
rules: rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/' - if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/'
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
@ -96,8 +88,6 @@ mobsf-android-sast:
mobsf-ios-sast: mobsf-ios-sast:
extends: .mobsf-sast extends: .mobsf-sast
rules: rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/' - if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/'
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
@ -111,8 +101,6 @@ nodejs-scan-sast:
image: image:
name: "$[[ inputs.image_prefix ]]/nodejs-scan:$[[ inputs.image_tag ]]" name: "$[[ inputs.image_prefix ]]/nodejs-scan:$[[ inputs.image_tag ]]"
rules: rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /nodejs-scan/' - if: '"$[[ inputs.excluded_analyzers ]]" =~ /nodejs-scan/'
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
@ -124,8 +112,6 @@ phpcs-security-audit-sast:
image: image:
name: "$[[ inputs.image_prefix ]]/phpcs-security-audit:$[[ inputs.image_tag ]]" name: "$[[ inputs.image_prefix ]]/phpcs-security-audit:$[[ inputs.image_tag ]]"
rules: rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /phpcs-security-audit/' - if: '"$[[ inputs.excluded_analyzers ]]" =~ /phpcs-security-audit/'
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
@ -137,8 +123,6 @@ pmd-apex-sast:
image: image:
name: "$[[ inputs.image_prefix ]]/pmd-apex:$[[ inputs.image_tag ]]" name: "$[[ inputs.image_prefix ]]/pmd-apex:$[[ inputs.image_tag ]]"
rules: rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/' - if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/'
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
@ -150,8 +134,6 @@ security-code-scan-sast:
image: image:
name: "$[[ inputs.image_prefix ]]/security-code-scan:$[[ inputs.image_tag ]]" name: "$[[ inputs.image_prefix ]]/security-code-scan:$[[ inputs.image_tag ]]"
rules: rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /security-code-scan/' - if: '"$[[ inputs.excluded_analyzers ]]" =~ /security-code-scan/'
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
@ -166,8 +148,6 @@ semgrep-sast:
variables: variables:
SEARCH_MAX_DEPTH: 20 SEARCH_MAX_DEPTH: 20
rules: rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/' - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
@ -190,8 +170,6 @@ sobelow-sast:
image: image:
name: "$[[ inputs.image_prefix ]]/sobelow:$[[ inputs.image_tag ]]" name: "$[[ inputs.image_prefix ]]/sobelow:$[[ inputs.image_tag ]]"
rules: rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /sobelow/' - if: '"$[[ inputs.excluded_analyzers ]]" =~ /sobelow/'
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
@ -209,8 +187,6 @@ spotbugs-sast:
exists: exists:
- '**/AndroidManifest.xml' - '**/AndroidManifest.xml'
when: never when: never
- if: $SAST_DISABLED
when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
exists: exists:
- '**/*.groovy' - '**/*.groovy'