Merge branch 'iac-kics-sast' into 'main'

Added KICS IaC Scanner

See merge request components/sast!23

README.md

@@ -1,13 +1,17 @@
-# SAST (Static Application Security Testing)
 
-This project provides componnets for the use of Static Application Security Testing as well as Infrastructure as Code testing. Configuration for either component may be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/). 
+This project provides componnets for the use of Static Application Security Testing as well as Infrastructure as Code testing. 
+
+[[_TOC_]]
+
+## Static Application Security Testing (SAST)
+
+### Documentation References
+
+Configuration for SAST can be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/). 
 
 More information about GitLab SAST is available within GitLab documentation (https://docs.gitlab.com/ee/user/application_security/sast/), along with the available variables (https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables).
 
-More information about GitLab Infrastructure as Code scanning is available within GitLab documentation (https://docs.gitlab.com/user/application_security/iac_scanning/). 
-
-
-## Usage
+### Usage
 
 You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
 keyword.
@@ -15,7 +19,6 @@ keyword.
 ```yaml
 include:
   - component: gitlab.com/components/sast/sast@<VERSION> # To include SAST Scanning
-  - component: gitlab.com/components/sast/iac-sast@<VERSION> # To include IaC Scanning
 ```
 
 where `<VERSION>` is the latest released tag or `main`.
@@ -37,18 +40,51 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit
 
 ### Inputs
 
-| Input | Default value | Description | SAST | IaC |
-| ----- | ------------- | ----------- | ---- | --- | 
-| `stage` | `test`      | The stage where you want the job to be added | :white_check_mark:  Yes | :white_check_mark: Yes |
-| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | :white_check_mark: Yes | :white_check_mark: Yes |
-| `image_tag` | `4` | Tag of the Docker image to use | :white_check_mark: Yes | :white_check_mark: Yes |
-| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | :white_check_mark: Yes | :white_check_mark: Yes, no FIPS support for IaC |
-| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | :white_check_mark: Yes | :x:  No |
-| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | :white_check_mark:  Yes | :white_check_mark: Yes |
-| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | :white_check_mark:  Yes | :white_check_mark:  Yes |
-| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job  | :white_check_mark:  Yes | :x:  No |
-| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | :white_check_mark: Yes | :x:  No |
-| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | :white_check_mark:  Yes | :x:  No |
+| Input | Default value | Description |
+| ----- | ------------- | ----------- | 
+| `stage` | `test`      | The stage where you want the job to be added | 
+| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | 
+| `image_tag` | `4` | Tag of the Docker image to use | 
+| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer |
+| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | 
+| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | 
+| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
+| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job  |
+| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | 
+| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | 
+
+## Infrastructure as Code (IaC) Scanning
+
+### Documentation References
+
+Configuration for IaC scanning can be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/). 
+
+More information about GitLab Infrastructure as Code scanning is available within GitLab documentation (https://docs.gitlab.com/user/application_security/iac_scanning/). 
+
+### Usage
+
+You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
+keyword.
+
+```yaml
+include:
+  - component: gitlab.com/components/sast/kics-iac-sast@<VERSION> # To include IaC Scanning
+```
+
+where `<VERSION>` is the latest released tag or `main`.
+
+### Inputs
+
+| Input | Default value | Description |
+| ----- | ------------- | ----------- | 
+| `stage` | `test`      | The stage where you want the job to be added | 
+| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | 
+| `image_tag` | `4` | Tag of the Docker image to use | 
+| `image_suffix` | `""` | Suffix added to image. |
+| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
+| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
+
+
 
 ## Contribute
 

templates/sast.yml

@@ -5,7 +5,7 @@ spec:
     image_prefix:
       default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
     image_tag:
-      default: '5'
+      default: '6'
     image_suffix:
       default: ""
     excluded_analyzers:
@@ -53,8 +53,14 @@ gitlab-advanced-sast:
   image:
     name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]"
   variables:
-    SAST_ANALYZER_IMAGE_TAG: 1
+    SAST_ANALYZER_IMAGE_TAG: 2
     SEARCH_MAX_DEPTH: 20
+  cache:
+    key: "scan-metrics-$CI_COMMIT_REF_SLUG"
+    fallback_keys:
+      - "scan-metrics-$CI_DEFAULT_BRANCH"
+    paths:
+      - "scan_metrics.csv"
   rules:
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/'
       when: never