vor/sast
1
0
Fork 0
mirror of https://gitlab.com/components/sast.git synced 2025-06-30 15:38:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Replace image prefix var with input

Browse source
This commit is contained in:
Fabio Pitino 2023-05-03 10:30:14 +01:00
parent 53275bb053
commit f01197b9d2
2 changed files with 33 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

19
README.md
View file

@ -4,3 +4,22 @@ Read more about this feature here: https://docs.gitlab.com/ee/user/application_s
Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html). Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables
## Usage
You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
keyword.
```yaml
include:
- component: gitlab.com/gitlab-components/sastg@<VERSION>
```
where `<VERSION>` is the latest released tag or `main`.
### Inputs
| Input | Default value | Description |
| ----- | ------------- | ----------- |
| `stage` | `test` | The stage where you want the job to be added |
| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from |

28
template.yml
View file

@ -2,14 +2,12 @@ spec:
inputs: inputs:
stage: stage:
default: test default: test
image_prefix:
default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
--- ---
variables: variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
SAST_IMAGE_SUFFIX: "" SAST_IMAGE_SUFFIX: ""
SAST_EXCLUDED_ANALYZERS: "" SAST_EXCLUDED_ANALYZERS: ""
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
SCAN_KUBERNETES_MANIFESTS: "false" SCAN_KUBERNETES_MANIFESTS: "false"
@ -33,7 +31,7 @@ brakeman-sast:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/brakeman:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -50,7 +48,7 @@ flawfinder-sast:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -71,7 +69,7 @@ kubesec-sast:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/kubesec:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -86,7 +84,7 @@ kubesec-sast:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/mobsf:$SAST_ANALYZER_IMAGE_TAG"
mobsf-android-sast: mobsf-android-sast:
extends: .mobsf-sast extends: .mobsf-sast
@ -120,7 +118,7 @@ nodejs-scan-sast:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -136,7 +134,7 @@ phpcs-security-audit-sast:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -152,7 +150,7 @@ pmd-apex-sast:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -168,7 +166,7 @@ security-code-scan-sast:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: '3' SAST_ANALYZER_IMAGE_TAG: '3'
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -186,7 +184,7 @@ semgrep-sast:
variables: variables:
SEARCH_MAX_DEPTH: 20 SEARCH_MAX_DEPTH: 20
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX" SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/semgrep:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -213,7 +211,7 @@ sobelow-sast:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/sobelow:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
@ -229,7 +227,7 @@ spotbugs-sast:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_EXCLUDED_ANALYZERS =~ /spotbugs/ - if: $SAST_EXCLUDED_ANALYZERS =~ /spotbugs/
when: never when: never