Update file sast.yml

2025-07-01 07:48:28 +02:00 · 2025-06-03 20:42:53 +00:00 · 2025-06-03 20:29:51 +00:00 · 2025-06-03 20:23:29 +00:00 · 2025-06-03 20:00:48 +00:00 · 2025-06-03 20:00:16 +00:00
1 changed files with 30 additions and 24 deletions
--- a/templates/sast.yml
+++ b/templates/sast.yml
@ -21,15 +21,29 @@ spec:
      type: boolean
    include_experimental:
      default: 'false'
    enable_mr_pipelines:
      default: false
      type: boolean
    ff_glas_enable_php_support:
      default: true
      type: boolean
    use_precompiled_artifacts:
      description: Identifies whether pre-compiled artifacts will be provided or if compilation is required.
      default: false
      type: boolean
    sast_dependencies:
      description: The dependant jobs to wait for before running SAST jobs.
      default: []
      type: array
    runner_tags:
      description: The tags to apply to SAST jobs so they can be picked up by an appropriate GitLab runner
      default: []
      type: array
    sast_java_version:
      description: The Java version used by the SAST analyzer
      default: 21
      type: integer
 ---
 .sast-analyzer:
  stage: $[[ inputs.stage ]]
  tags: $[[ inputs.runner_tags ]]
  allow_failure: true
  # these variables are used by the analyzer
  # TODO: propagate inputs when breaking down into separate components
@ -38,6 +52,9 @@ spec:
    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
    DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]]
    SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS"
    COMPILE: $[[ inputs.use_precompiled_artifacts ]]
    SAST_JAVA_VERSION: $[[ inputs.sast_java_version | expand_vars ]]
  dependencies: $[[ inputs.sast_dependencies ]]
  script:
    - /analyzer run
  artifacts:
@ -125,10 +142,6 @@ spec:
    - '**/application*.yaml'
    - '**/bootstrap*.yaml'
 .pmd-apex-exist-rules:
  exists:
    - '**/*.cls'
 gitlab-advanced-sast:
  extends: .sast-analyzer
  image:
@ -148,6 +161,9 @@ gitlab-advanced-sast:
      when: never
    - if: '"$[[ inputs.run_advanced_sast ]]" != "true"'
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/
      exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/
      exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
@ -165,6 +181,7 @@ kubesec-sast:
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/'
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && "$[[ inputs.run_kubesec_sast ]]" == "true"'
    - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"'
 mobsf-android-sast:
@ -186,23 +203,9 @@ pmd-apex-sast:
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/'
      when: never
    # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline*
    # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3
    # to cover both the *MR pipeline* and the *branch pipeline* workflows.
    # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request.
    - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
          $CI_PIPELINE_SOURCE == "merge_request_event"'
      exists: !reference [.pmd-apex-exist-rules, exists]
   # 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request.
    - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
          $CI_OPEN_MERGE_REQUESTS'
      when: never
    # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch).
    - if: $CI_COMMIT_BRANCH
-      exists: !reference [.pmd-apex-exist-rules, exists]
+      exists:
        - '**/*.cls'
 security-code-scan-sast:
  extends: .sast-analyzer
@ -246,7 +249,9 @@ semgrep-sast:
          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
          "$[[ inputs.run_advanced_sast ]]" == "true"'
      when: never
-    # Default case - run for all supported files
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      exists: !reference [.semgrep-exist-rules, exists]
      # Default case - run for all supported files
    - if: $CI_COMMIT_BRANCH
      exists: !reference [.semgrep-exist-rules, exists]
@ -272,6 +277,7 @@ spotbugs-sast:
      exists:
        - '**/AndroidManifest.xml'
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/*.groovy'
Author	SHA1	Message	Date
Melissa Beldman	cc19beb6b6	Update file sast.yml	2025-06-03 20:42:53 +00:00
Melissa Beldman	d5a228428c	Update file sast.yml	2025-06-03 20:29:51 +00:00
Melissa Beldman	0e94e97004	Update file sast.yml	2025-06-03 20:23:29 +00:00
Melissa Beldman	b9268c4f7c	Update file sast.yml	2025-06-03 20:00:48 +00:00
Melissa Beldman	0cee4e10b3	Update file sast.yml	2025-06-03 20:00:16 +00:00
Melissa Beldman	843eb13140	Update file sast.yml	2025-06-03 19:56:36 +00:00