mirror of
https://gitlab.com/components/sast.git
synced 2025-06-30 07:28:29 +02:00
component separation
This commit is contained in:
Rob Jackson
parent
81caeb7959
commit
ef1a1d6cd5
1 changed files with 55 additions and 19 deletions
74
README.md
74
README.md
|
|
@ -1,13 +1,17 @@
|
||||||
# SAST (Static Application Security Testing)
|
|
||||||
|
|
||||||
This project provides componnets for the use of Static Application Security Testing as well as Infrastructure as Code testing. Configuration for either component may be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/).
|
This project provides componnets for the use of Static Application Security Testing as well as Infrastructure as Code testing.
|
||||||
|
|
||||||
|
[[_TOC_]]
|
||||||
|
|
||||||
|
## Static Application Security Testing (SAST)
|
||||||
|
|
||||||
|
### Documentation References
|
||||||
|
|
||||||
|
Configuration for SAST can be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/).
|
||||||
|
|
||||||
More information about GitLab SAST is available within GitLab documentation (https://docs.gitlab.com/ee/user/application_security/sast/), along with the available variables (https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables).
|
More information about GitLab SAST is available within GitLab documentation (https://docs.gitlab.com/ee/user/application_security/sast/), along with the available variables (https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables).
|
||||||
|
|
||||||
More information about GitLab Infrastructure as Code scanning is available within GitLab documentation (https://docs.gitlab.com/user/application_security/iac_scanning/).
|
### Usage
|
||||||
|
|
||||||
|
|
||||||
## Usage
|
|
||||||
|
|
||||||
You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
|
You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
|
||||||
keyword.
|
keyword.
|
||||||
|
|
@ -15,7 +19,6 @@ keyword.
|
||||||
```yaml
|
```yaml
|
||||||
include:
|
include:
|
||||||
- component: gitlab.com/components/sast/sast@<VERSION> # To include SAST Scanning
|
- component: gitlab.com/components/sast/sast@<VERSION> # To include SAST Scanning
|
||||||
- component: gitlab.com/components/sast/iac-sast@<VERSION> # To include IaC Scanning
|
|
||||||
```
|
```
|
||||||
|
|
||||||
where `<VERSION>` is the latest released tag or `main`.
|
where `<VERSION>` is the latest released tag or `main`.
|
||||||
|
|
@ -37,18 +40,51 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit
|
||||||
|
|
||||||
### Inputs
|
### Inputs
|
||||||
|
|
||||||
| Input | Default value | Description | SAST | IaC |
|
| Input | Default value | Description |
|
||||||
| ----- | ------------- | ----------- | ---- | --- |
|
| ----- | ------------- | ----------- |
|
||||||
| `stage` | `test` | The stage where you want the job to be added | :white_check_mark: Yes | :white_check_mark: Yes |
|
| `stage` | `test` | The stage where you want the job to be added |
|
||||||
| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | :white_check_mark: Yes | :white_check_mark: Yes |
|
| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from |
|
||||||
| `image_tag` | `4` | Tag of the Docker image to use | :white_check_mark: Yes | :white_check_mark: Yes |
|
| `image_tag` | `4` | Tag of the Docker image to use |
|
||||||
| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | :white_check_mark: Yes | :white_check_mark: Yes, no FIPS support for IaC |
|
| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer |
|
||||||
| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | :white_check_mark: Yes | :x: No |
|
| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run |
|
||||||
| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | :white_check_mark: Yes | :white_check_mark: Yes |
|
| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
|
||||||
| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | :white_check_mark: Yes | :white_check_mark: Yes |
|
| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
|
||||||
| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | :white_check_mark: Yes | :x: No |
|
| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job |
|
||||||
| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | :white_check_mark: Yes | :x: No |
|
| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) |
|
||||||
| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | :white_check_mark: Yes | :x: No |
|
| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) |
|
||||||
|
|
||||||
|
## Infrastructure as Code (IaC) Scanning
|
||||||
|
|
||||||
|
### Documentation References
|
||||||
|
|
||||||
|
Configuration for IaC scanning can be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/).
|
||||||
|
|
||||||
|
More information about GitLab Infrastructure as Code scanning is available within GitLab documentation (https://docs.gitlab.com/user/application_security/iac_scanning/).
|
||||||
|
|
||||||
|
### Usage
|
||||||
|
|
||||||
|
You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
|
||||||
|
keyword.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
include:
|
||||||
|
- component: gitlab.com/components/sast/kics-iac-sast@<VERSION> # To include IaC Scanning
|
||||||
|
```
|
||||||
|
|
||||||
|
where `<VERSION>` is the latest released tag or `main`.
|
||||||
|
|
||||||
|
### Inputs
|
||||||
|
|
||||||
|
| Input | Default value | Description |
|
||||||
|
| ----- | ------------- | ----------- |
|
||||||
|
| `stage` | `test` | The stage where you want the job to be added |
|
||||||
|
| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from |
|
||||||
|
| `image_tag` | `4` | Tag of the Docker image to use |
|
||||||
|
| `image_suffix` | `""` | Suffix added to image. |
|
||||||
|
| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
|
||||||
|
| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Contribute
|
## Contribute
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue