Merge branch 'iac-kics-sast' into 'main'

Added KICS IaC Scanner See merge request components/sast!23
2025-07-03 16:58:28 +02:00 · 2025-05-20 22:10:24 -04:00
2 changed files with 18 additions and 18 deletions
--- a/README.md
+++ b/README.md
@ -1,11 +1,9 @@
 # SAST (Static Application Security Testing)

-This project provides componnets for the use of Static Application Security Testing as well as Infrastructure as Code testing. Configuration for either component may be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/). 
-
-More information about GitLab SAST is available within GitLab documentation (https://docs.gitlab.com/ee/user/application_security/sast/), along with the available variables (https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables).
-
-More information about GitLab Infrastructure as Code scanning is available within GitLab documentation (https://docs.gitlab.com/user/application_security/iac_scanning/). 
+Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/

+Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
+List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables

 ## Usage

@ -15,7 +13,7 @@ keyword.
 ```yaml
 include:
  - component: gitlab.com/components/sast/sast@<VERSION> # To include SAST Scanning
-  - component: gitlab.com/components/sast/iac-sast@<VERSION> # To include IaC Scanning
+  - component: gitlab.com/components/sast/iac-kics-sast@<VERSION> # To include IaC Scanning
 ```

 where `<VERSION>` is the latest released tag or `main`.
@ -37,18 +35,18 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit

 ### Inputs

-| Input | Default value | Description | SAST | IaC |
-| ----- | ------------- | ----------- | ---- | --- | 
-| `stage` | `test`      | The stage where you want the job to be added | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
-| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
-| `image_tag` | `4` | Tag of the Docker image to use | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
-| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes, no FIPS support for IaC |
-| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No |
-| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
-| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
-| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job  | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No |
-| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No |
-| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No |
+| Input | Default value | Description |
+| ----- | ------------- | ----------- |
+| `stage` | `test`      | The stage where you want the job to be added |
+| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from |
+| `image_tag` | `4` | Tag of the Docker image to use |
+| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer |
+| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run |
+| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
+| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
+| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job  |
+| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ]
+| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) |

 ## Contribute

--- a/templates/iac-kics-sast.yml
+++ b/templates/iac-kics-sast.yml
@ -33,6 +33,8 @@ kics-iac-sast:
      sast: gl-sast-report.json
  allow_failure: true
  rules:
+    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
+      when: never
    - if: $[[ inputs.excluded_analyzers ]] =~ /kics/
      when: never
    - if: $CI_COMMIT_BRANCH