Merge branch 'iac-kics-sast' into 'main'

Added KICS IaC Scanner to Readme and YAML

See merge request components/sast!23

README.md

@@ -12,7 +12,8 @@ keyword.
 
 ```yaml
 include:
-  - component: gitlab.com/components/sast/sast@<VERSION>
+  - component: gitlab.com/components/sast/sast@<VERSION> # To include SAST Scanning
+  - component: gitlab.com/components/sast/iac-kics-sast@<VERSION> # To include IaC Scanning
 ```
 
 where `<VERSION>` is the latest released tag or `main`.

templates/iac-kics-sast.yml

@@ -0,0 +1,45 @@
+# Component created based on GitLab's IAC SAST Scanning template
+# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/
+
+spec:
+    inputs:
+        stage:
+            default: test
+        excluded_paths:
+            default: "spec, test, tests, tmp"
+        excluded_analyzers:
+            default: ""
+        analyzer_image:
+            default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
+        search_max_depth:
+            default: 4
+        image_tag:
+            default: 6
+
+---
+iac-sast:
+  stage: $[[ inputs.stage ]]
+  artifacts:
+    access: 'developer'
+    reports:
+      sast: gl-sast-report.json
+  rules:
+    - when: never
+  # `rules` must be overridden explicitly by each child job
+  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
+  variables:
+    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
+  allow_failure: true
+  script:
+    - /analyzer run
+
+kics-iac-sast:
+  extends: iac-sast
+  image:
+    name: "$[[ inputs.analyzer_image ]]/kics:$[[ inputs.image_tag ]]"
+  rules:
+    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
+      when: never
+    - if: $[[ inputs.excluded_analyzers ]] =~ /kics/
+      when: never
+    - if: $CI_COMMIT_BRANCH