Merge branch 'iac-kics-sast' into 'main'

Added KICS IaC Scanner See merge request components/sast!23
renamed iac-sast file, removed disabled flag. Added more description in readme and adjusted table for SAST and IaC
2025-06-30 07:28:29 +02:00 · 2025-05-26 12:05:29 -04:00 · 2025-05-26 12:05:24 -04:00 · 2025-04-29 17:28:17 +10:00 · 2025-04-28 13:49:41 +10:00 · 2025-04-28 13:30:50 +10:00
3 changed files with 26 additions and 20 deletions
--- a/README.md
+++ b/README.md
@ -1,9 +1,11 @@
 # SAST (Static Application Security Testing)

-Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/
+This project provides componnets for the use of Static Application Security Testing as well as Infrastructure as Code testing. Configuration for either component may be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/). 
+
+More information about GitLab SAST is available within GitLab documentation (https://docs.gitlab.com/ee/user/application_security/sast/), along with the available variables (https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables).
+
+More information about GitLab Infrastructure as Code scanning is available within GitLab documentation (https://docs.gitlab.com/user/application_security/iac_scanning/). 

-Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
-List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables

 ## Usage

@ -13,7 +15,7 @@ keyword.
 ```yaml
 include:
  - component: gitlab.com/components/sast/sast@<VERSION> # To include SAST Scanning
-  - component: gitlab.com/components/sast/iac-kics-sast@<VERSION> # To include IaC Scanning
+  - component: gitlab.com/components/sast/iac-sast@<VERSION> # To include IaC Scanning
 ```

 where `<VERSION>` is the latest released tag or `main`.
@ -35,18 +37,18 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit

 ### Inputs

-| Input | Default value | Description |
-| ----- | ------------- | ----------- |
-| `stage` | `test`      | The stage where you want the job to be added |
-| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from |
-| `image_tag` | `4` | Tag of the Docker image to use |
-| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer |
-| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run |
-| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
-| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
-| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job  |
-| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ]
-| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) |
+| Input | Default value | Description | SAST | IaC |
+| ----- | ------------- | ----------- | ---- | --- | 
+| `stage` | `test`      | The stage where you want the job to be added | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
+| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
+| `image_tag` | `4` | Tag of the Docker image to use | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
+| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes, no FIPS support for IaC |
+| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No |
+| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
+| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
+| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job  | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No |
+| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No |
+| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No |

 ## Contribute

--- a/templates/iac-kics-sast.yml
+++ b/templates/iac-kics-sast.yml
@ -33,8 +33,6 @@ kics-iac-sast:
      sast: gl-sast-report.json
  allow_failure: true
  rules:
-    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
-      when: never
    - if: $[[ inputs.excluded_analyzers ]] =~ /kics/
      when: never
    - if: $CI_COMMIT_BRANCH
--- a/templates/sast.yml
+++ b/templates/sast.yml
@ -5,7 +5,7 @@ spec:
    image_prefix:
      default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
    image_tag:
-      default: '5'
+      default: '6'
    image_suffix:
      default: ""
    excluded_analyzers:
@ -53,8 +53,14 @@ gitlab-advanced-sast:
  image:
    name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]"
  variables:
-    SAST_ANALYZER_IMAGE_TAG: 1
+    SAST_ANALYZER_IMAGE_TAG: 2
    SEARCH_MAX_DEPTH: 20
+  cache:
+    key: "scan-metrics-$CI_COMMIT_REF_SLUG"
+    fallback_keys:
+      - "scan-metrics-$CI_DEFAULT_BRANCH"
+    paths:
+      - "scan_metrics.csv"
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/'
      when: never
Author	SHA1	Message	Date
Rob Jackson	35ed5fdf3f	Merge branch 'iac-kics-sast' into 'main' Added KICS IaC Scanner See merge request components/sast!23	2025-05-26 12:05:29 -04:00
Rob Jackson	f1b9a6d963	renamed iac-sast file, removed disabled flag. Added more description in readme and adjusted table for SAST and IaC	2025-05-26 12:05:24 -04:00
Hua Yan	5758da0696	Merge branch 'hyan/glas-multicore' into 'main' Support profiling via cache for GLAS multicore workload balancing See merge request components/sast!22	2025-04-29 17:28:17 +10:00
Thiago Figueiró	7f7984b96d	Merge branch 'hyan/sast-18.0' into 'main' Bump SAST analyser major version for 18.0 See merge request components/sast!24	2025-04-28 13:49:41 +10:00
hyan@gitlab.com	70e2583135	Bump analyser versions for 18.0	2025-04-28 13:30:50 +10:00
Hua Yan	8c5526b0f4	Set path as "scan_metrics.csv"	2025-04-23 13:01:09 +10:00
hyan@gitlab.com	4ea446f709	Improve cache	2025-04-08 10:57:15 +10:00
hyan@gitlab.com	c6ea9d4f34	Test GLAS multicore	2025-04-04 11:29:31 +11:00
hyan@gitlab.com	446d4146f5	Test GLAS multicore	2025-04-04 10:51:29 +11:00