diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f9c85ae..f71afe0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -13,7 +13,7 @@ ensure-semgrep-job-added: exit 1 fi rules: - - if: $CI_COMMIT_BRANCH && $CI_SERVER_HOST =~ /gitlab.com/ + - if: $CI_COMMIT_BRANCH # Ensure that a project description exists, because it will be important to display # the resource in the catalog. @@ -29,8 +29,6 @@ check-description: else echo "Description set" fi - rules: - - if: $CI_SERVER_HOST =~ /gitlab.com/ # Ensure that a `README.md` exists in the root directory as it represents the # documentation for the whole components repository. diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 0fb88d0..0000000 --- a/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) 2023 GitLab Inc. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/README.md b/README.md index ed7a4de..876cefb 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,11 @@ +# SAST (Static Application Security Testing) -This project provides components for the use of Static Application Security Testing as well as Infrastructure as Code scanning. +Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/ -[[_TOC_]] +Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html). +List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables -## Static Application Security Testing (SAST) - -### Documentation References - -Configuration for SAST can be performed through [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of [Inputs](https://docs.gitlab.com/ci/inputs/). - -More information about GitLab SAST is available within [GitLab documentation](https://docs.gitlab.com/ee/user/application_security/sast/), along with the [available variables](https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables). - -### Usage +## Usage You should add this component to an existing `.gitlab-ci.yml` file by using the `include:` keyword. @@ -41,48 +35,16 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit ### Inputs | Input | Default value | Description | -| ----- | ------------- | ----------- | -| `stage` | `test` | The stage where you want the job to be added | -| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | -| `image_tag` | `4` | Tag of the Docker image to use | +| ----- | ------------- | ----------- | +| `stage` | `test` | The stage where you want the job to be added | +| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | +| `image_tag` | `4` | Tag of the Docker image to use | | `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | -| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | -| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | -| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | -| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | -| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | -| `ff_glas_enable_php_support` | `"true"` | Set it to `"false"` to disable [PHP support for GLAS](https://gitlab.com/groups/gitlab-org/-/epics/14273) | - -## Infrastructure as Code (IaC) Scanning - -### Documentation References - -Configuration for IaC scanning can be performed through [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of [Inputs](https://docs.gitlab.com/ci/inputs/). - -More information about GitLab Infrastructure as Code scanning is available within [GitLab documentation](https://docs.gitlab.com/user/application_security/iac_scanning/). - -### Usage - -You should add this component to an existing `.gitlab-ci.yml` file by using the `include:` -keyword. - -```yaml -include: - - component: gitlab.com/components/sast/iac-sast@ -``` - -where `` is the latest released tag or `main`. - -### Inputs - -| Input | Default value | Description | -| ----- | ------------- | ----------- | -| `stage` | `test` | The stage where you want the job to be added | -| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | -| `image_tag` | `6` | Tag of the Docker image to use | -| `image_suffix` | `""` | Suffix added to image. | +| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | | `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | +| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | +| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | ## Contribute diff --git a/templates/iac-sast.yml b/templates/iac-sast.yml deleted file mode 100644 index 81ff32c..0000000 --- a/templates/iac-sast.yml +++ /dev/null @@ -1,38 +0,0 @@ -# Component created based on GitLab's IAC SAST Scanning template -# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/ - -spec: - inputs: - stage: - default: test - excluded_paths: - default: "spec, test, tests, tmp" - excluded_analyzers: - default: "" - image_prefix: - default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" - image_suffix: - default: "" - search_max_depth: - default: 4 - image_tag: - default: 6 - ---- -kics-iac-sast: - stage: $[[ inputs.stage ]] - image: - name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" - variables: - SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] - script: - - /analyzer run - artifacts: - access: 'developer' - reports: - sast: gl-sast-report.json - allow_failure: true - rules: - - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kics/' - when: never - - if: $CI_COMMIT_BRANCH diff --git a/templates/sast.yml b/templates/sast.yml index 64e7743..ac78956 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -5,7 +5,7 @@ spec: image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" image_tag: - default: '6' + default: '4' image_suffix: default: "" excluded_analyzers: @@ -16,14 +16,8 @@ spec: default: '4' run_kubesec_sast: default: 'false' - run_advanced_sast: - default: false - type: boolean include_experimental: default: 'false' - ff_glas_enable_php_support: - default: true - type: boolean --- .sast-analyzer: stage: $[[ inputs.stage ]] @@ -33,12 +27,10 @@ spec: # E.g. SEARCH_MAX_DEPTH is overridden in some analyzers. We should pass the input instead. variables: SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] - DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]] - SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS" + SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]] script: - /analyzer run artifacts: - access: 'developer' reports: sast: gl-sast-report.json @@ -51,99 +43,6 @@ spec: rules: - when: never -.gitlab-advanced-sast-exist-rules: - exists: - - '**/*.py' - - '**/*.go' - - '**/*.java' - - '**/*.jsp' - - '**/*.js' - - '**/*.jsx' - - '**/*.ts' - - '**/*.tsx' - - '**/*.cjs' - - '**/*.mjs' - - '**/*.cs' - - '**/*.rb' - - '**/*.php' - -.semgrep-with-advanced-sast-exist-rules: - exists: - - '**/*.c' - - '**/*.cc' - - '**/*.cpp' - - '**/*.c++' - - '**/*.cp' - - '**/*.cxx' - - '**/*.h' - - '**/*.hpp' - - '**/*.scala' - - '**/*.sc' - - '**/*.php' - - '**/*.swift' - - '**/*.m' - - '**/*.kt' - - '**/*.properties' - - '**/application*.yml' - - '**/bootstrap*.yml' - - '**/application*.yaml' - - '**/bootstrap*.yaml' - -.semgrep-exist-rules: - exists: - - '**/*.py' - - '**/*.js' - - '**/*.jsx' - - '**/*.ts' - - '**/*.tsx' - - '**/*.c' - - '**/*.cc' - - '**/*.cpp' - - '**/*.c++' - - '**/*.cp' - - '**/*.cxx' - - '**/*.h' - - '**/*.hpp' - - '**/*.go' - - '**/*.java' - - '**/*.cs' - - '**/*.scala' - - '**/*.sc' - - '**/*.php' - - '**/*.swift' - - '**/*.m' - - '**/*.rb' - - '**/*.kt' - - '**/*.cjs' - - '**/*.mjs' - - '**/*.properties' - - '**/application*.yml' - - '**/bootstrap*.yml' - - '**/application*.yaml' - - '**/bootstrap*.yaml' - -gitlab-advanced-sast: - extends: .sast-analyzer - image: - name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]" - variables: - FF_GLAS_ENABLE_PHP_SUPPORT: "$[[ inputs.ff_glas_enable_php_support ]]" - SAST_ANALYZER_IMAGE_TAG: 2 - SEARCH_MAX_DEPTH: 20 - cache: - key: "scan-metrics-$CI_COMMIT_REF_SLUG" - fallback_keys: - - "scan-metrics-$CI_DEFAULT_BRANCH" - paths: - - "scan_metrics.csv" - rules: - - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/' - when: never - - if: '"$[[ inputs.run_advanced_sast ]]" != "true"' - when: never - - if: $CI_COMMIT_BRANCH && - $GITLAB_FEATURES =~ /\bsast_advanced\b/ - exists: !reference [.gitlab-advanced-sast-exist-rules, exists] brakeman-sast: extends: .deprecated-16.8 @@ -201,33 +100,30 @@ semgrep-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/' when: never - # When gitlab-advanced-sast runs with PHP support enabled, exclude the `*.php` extension, as well as other files already scanned by gitlab-advanced-sast - - if: '$CI_COMMIT_BRANCH && - $GITLAB_FEATURES =~ /\bsast_advanced\b/ && - "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && - "$[[ inputs.run_advanced_sast ]]" == "true" && - "$[[ inputs.ff_glas_enable_php_support ]]" == "true"' - variables: - SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb, **/*.php" - exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists] - # When gitlab-advanced-sast runs but PHP support is disabled, exclude files already scanned by gitlab-advanced-sast - - if: '$CI_COMMIT_BRANCH && - $GITLAB_FEATURES =~ /\bsast_advanced\b/ && - "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && - "$[[ inputs.run_advanced_sast ]]" == "true" && - "$[[ inputs.ff_glas_enable_php_support ]]" != "true"' - variables: - SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb" - exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists] - # Fallback when advanced SAST covers everything - - if: '$CI_COMMIT_BRANCH && - $GITLAB_FEATURES =~ /\bsast_advanced\b/ && - "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && - "$[[ inputs.run_advanced_sast ]]" == "true"' - when: never - # Default case - run for all supported files - if: $CI_COMMIT_BRANCH - exists: !reference [.semgrep-exist-rules, exists] + exists: + - '**/*.py' + - '**/*.js' + - '**/*.jsx' + - '**/*.ts' + - '**/*.tsx' + - '**/*.c' + - '**/*.cc' + - '**/*.cpp' + - '**/*.c++' + - '**/*.cp' + - '**/*.cxx' + - '**/*.go' + - '**/*.java' + - '**/*.html' + - '**/*.cs' + - '**/*.scala' + - '**/*.sc' + - '**/*.php' + - '**/*.swift' + - '**/*.m' + - '**/*.rb' + - '**/*.kt' sobelow-sast: extends: .sast-analyzer @@ -254,3 +150,5 @@ spotbugs-sast: - if: $CI_COMMIT_BRANCH exists: - '**/*.groovy' + - '**/*.scala' + - '**/*.kt'