diff --git a/templates/sast.yml b/templates/sast.yml index d937e76..01786b5 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -21,15 +21,29 @@ spec: type: boolean include_experimental: default: 'false' - enable_mr_pipelines: - default: false - type: boolean ff_glas_enable_php_support: default: true type: boolean + use_precompiled_artifacts: + description: Identifies whether pre-compiled artifacts will be provided or if compilation is required. + default: false + type: boolean + sast_dependencies: + description: The dependant jobs to wait for before running SAST jobs. + default: [] + type: array + runner_tags: + description: The tags to apply to SAST jobs so they can be picked up by an appropriate GitLab runner + default: [] + type: array + sast_java_version: + description: The Java version used by the SAST analyzer + default: 21 + type: integer --- .sast-analyzer: stage: $[[ inputs.stage ]] + tags: $[[ inputs.runner_tags ]] allow_failure: true # these variables are used by the analyzer # TODO: propagate inputs when breaking down into separate components @@ -38,6 +52,9 @@ spec: SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]] SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS" + COMPILE: $[[ inputs.use_precompiled_artifacts ]] + SAST_JAVA_VERSION: $[[ inputs.sast_java_version | expand_vars ]] + dependencies: $[[ inputs.sast_dependencies ]] script: - /analyzer run artifacts: @@ -125,10 +142,6 @@ spec: - '**/application*.yaml' - '**/bootstrap*.yaml' -.pmd-apex-exist-rules: - exists: - - '**/*.cls' - gitlab-advanced-sast: extends: .sast-analyzer image: @@ -148,6 +161,9 @@ gitlab-advanced-sast: when: never - if: '"$[[ inputs.run_advanced_sast ]]" != "true"' when: never + - if: $CI_PIPELINE_SOURCE == "merge_request_event" && + $GITLAB_FEATURES =~ /\bsast_advanced\b/ + exists: !reference [.gitlab-advanced-sast-exist-rules, exists] - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast_advanced\b/ exists: !reference [.gitlab-advanced-sast-exist-rules, exists] @@ -165,6 +181,7 @@ kubesec-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/' when: never + - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && "$[[ inputs.run_kubesec_sast ]]" == "true"' - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"' mobsf-android-sast: @@ -186,23 +203,9 @@ pmd-apex-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/' when: never - - # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline* - # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3 - # to cover both the *MR pipeline* and the *branch pipeline* workflows. - - # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request. - - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && - $CI_PIPELINE_SOURCE == "merge_request_event"' - exists: !reference [.pmd-apex-exist-rules, exists] - - # 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request. - - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && - $CI_OPEN_MERGE_REQUESTS' - when: never - # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch). - if: $CI_COMMIT_BRANCH - exists: !reference [.pmd-apex-exist-rules, exists] + exists: + - '**/*.cls' security-code-scan-sast: extends: .sast-analyzer @@ -246,7 +249,9 @@ semgrep-sast: "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && "$[[ inputs.run_advanced_sast ]]" == "true"' when: never - # Default case - run for all supported files + - if: $CI_PIPELINE_SOURCE == "merge_request_event" + exists: !reference [.semgrep-exist-rules, exists] + # Default case - run for all supported files - if: $CI_COMMIT_BRANCH exists: !reference [.semgrep-exist-rules, exists] @@ -272,6 +277,7 @@ spotbugs-sast: exists: - '**/AndroidManifest.xml' when: never + - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_COMMIT_BRANCH exists: - '**/*.groovy'