diff --git a/README.md b/README.md index 394818e..ef3937b 100644 --- a/README.md +++ b/README.md @@ -3,4 +3,23 @@ Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/ Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html). -List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables \ No newline at end of file +List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables + +## Usage + +You should add this component to an existing `.gitlab-ci.yml` file by using the `include:` +keyword. + +```yaml +include: + - component: gitlab.com/gitlab-components/sastg@ +``` + +where `` is the latest released tag or `main`. + +### Inputs + +| Input | Default value | Description | +| ----- | ------------- | ----------- | +| `stage` | `test` | The stage where you want the job to be added | +| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | diff --git a/template.yml b/template.yml index 1ee450f..2d53b85 100644 --- a/template.yml +++ b/template.yml @@ -2,14 +2,12 @@ spec: inputs: stage: default: test + image_prefix: + default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" --- variables: - # Setting this variable will affect all Security templates - # (SAST, Dependency Scanning, ...) - SECURE_ANALYZERS_PREFIX: "$CI_TEMPLATE_REGISTRY_HOST/security-products" SAST_IMAGE_SUFFIX: "" - SAST_EXCLUDED_ANALYZERS: "" SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" SCAN_KUBERNETES_MANIFESTS: "false" @@ -33,7 +31,7 @@ brakeman-sast: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/brakeman:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never @@ -50,7 +48,7 @@ flawfinder-sast: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/flawfinder:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never @@ -71,7 +69,7 @@ kubesec-sast: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/kubesec:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never @@ -86,7 +84,7 @@ kubesec-sast: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/mobsf:$SAST_ANALYZER_IMAGE_TAG" mobsf-android-sast: extends: .mobsf-sast @@ -120,7 +118,7 @@ nodejs-scan-sast: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never @@ -136,7 +134,7 @@ phpcs-security-audit-sast: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never @@ -152,7 +150,7 @@ pmd-apex-sast: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/pmd-apex:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never @@ -168,7 +166,7 @@ security-code-scan-sast: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: '3' - SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/security-code-scan:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never @@ -186,7 +184,7 @@ semgrep-sast: variables: SEARCH_MAX_DEPTH: 20 SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/semgrep:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX" rules: - if: $SAST_DISABLED when: never @@ -213,7 +211,7 @@ sobelow-sast: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/sobelow:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never @@ -229,7 +227,7 @@ spotbugs-sast: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 - SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG" + SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/spotbugs:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_EXCLUDED_ANALYZERS =~ /spotbugs/ when: never