From ef1a1d6cd5ece26b23a41cc79a50c786dd62d2cb Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Tue, 27 May 2025 22:55:51 -0400 Subject: [PATCH] component separation --- README.md | 74 +++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 55 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index f49a247..9743638 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,17 @@ -# SAST (Static Application Security Testing) -This project provides componnets for the use of Static Application Security Testing as well as Infrastructure as Code testing. Configuration for either component may be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/). +This project provides componnets for the use of Static Application Security Testing as well as Infrastructure as Code testing. + +[[_TOC_]] + +## Static Application Security Testing (SAST) + +### Documentation References + +Configuration for SAST can be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/). More information about GitLab SAST is available within GitLab documentation (https://docs.gitlab.com/ee/user/application_security/sast/), along with the available variables (https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables). -More information about GitLab Infrastructure as Code scanning is available within GitLab documentation (https://docs.gitlab.com/user/application_security/iac_scanning/). - - -## Usage +### Usage You should add this component to an existing `.gitlab-ci.yml` file by using the `include:` keyword. @@ -15,7 +19,6 @@ keyword. ```yaml include: - component: gitlab.com/components/sast/sast@ # To include SAST Scanning - - component: gitlab.com/components/sast/iac-sast@ # To include IaC Scanning ``` where `` is the latest released tag or `main`. @@ -37,18 +40,51 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit ### Inputs -| Input | Default value | Description | SAST | IaC | -| ----- | ------------- | ----------- | ---- | --- | -| `stage` | `test` | The stage where you want the job to be added | :white_check_mark: Yes | :white_check_mark: Yes | -| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | :white_check_mark: Yes | :white_check_mark: Yes | -| `image_tag` | `4` | Tag of the Docker image to use | :white_check_mark: Yes | :white_check_mark: Yes | -| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | :white_check_mark: Yes | :white_check_mark: Yes, no FIPS support for IaC | -| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | :white_check_mark: Yes | :x: No | -| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | :white_check_mark: Yes | :white_check_mark: Yes | -| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | :white_check_mark: Yes | :white_check_mark: Yes | -| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | :white_check_mark: Yes | :x: No | -| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | :white_check_mark: Yes | :x: No | -| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | :white_check_mark: Yes | :x: No | +| Input | Default value | Description | +| ----- | ------------- | ----------- | +| `stage` | `test` | The stage where you want the job to be added | +| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | +| `image_tag` | `4` | Tag of the Docker image to use | +| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | +| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | +| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | +| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | +| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | +| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | +| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | + +## Infrastructure as Code (IaC) Scanning + +### Documentation References + +Configuration for IaC scanning can be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/). + +More information about GitLab Infrastructure as Code scanning is available within GitLab documentation (https://docs.gitlab.com/user/application_security/iac_scanning/). + +### Usage + +You should add this component to an existing `.gitlab-ci.yml` file by using the `include:` +keyword. + +```yaml +include: + - component: gitlab.com/components/sast/kics-iac-sast@ # To include IaC Scanning +``` + +where `` is the latest released tag or `main`. + +### Inputs + +| Input | Default value | Description | +| ----- | ------------- | ----------- | +| `stage` | `test` | The stage where you want the job to be added | +| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | +| `image_tag` | `4` | Tag of the Docker image to use | +| `image_suffix` | `""` | Suffix added to image. | +| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | +| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | + + ## Contribute