From fb90f914d71c14b65a6366f9555c659463cc5023 Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Mon, 14 Apr 2025 17:01:13 -0400 Subject: [PATCH 1/3] Added KICS IaC Scanner to Readme and YAML --- README.md | 3 ++- templates/iac-kics-sast.yml | 47 +++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 templates/iac-kics-sast.yml diff --git a/README.md b/README.md index ca020ac..b1b8143 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,8 @@ keyword. ```yaml include: - - component: gitlab.com/components/sast/sast@ + - component: gitlab.com/components/sast/sast@ # To include SAST Scanning + - component: gitlab.com/components/sast/iac-kics-sast@ # To include IaC Scanning ``` where `` is the latest released tag or `main`. diff --git a/templates/iac-kics-sast.yml b/templates/iac-kics-sast.yml new file mode 100644 index 0000000..d570851 --- /dev/null +++ b/templates/iac-kics-sast.yml @@ -0,0 +1,47 @@ +# Component created based on GitLab's IAC SAST Scanning template +# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/ + +spec: + inputs: + stage: + default: test + excluded_paths: + default: "spec, test, tests, tmp" + excluded_analyzers: + default "" + image_prefix: + default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" + image_suffix: + default: "" + search_max_depth: + default: 4 + image_tag: + default: 5 + +--- +iac-sast: + stage: $[[ inputs.stage ]] + artifacts: + access: 'developer' + reports: + sast: gl-sast-report.json + rules: + - when: never + # `rules` must be overridden explicitly by each child job + # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444 + variables: + SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] + allow_failure: true + script: + - /analyzer run + +kics-iac-sast: + extends: iac-sast + image: + name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" + rules: + - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1' + when: never + - if: $[[ inputs.excluded_analyzers ]] =~ /kics/ + when: never + - if: $CI_COMMIT_BRANCH From f09ec4e3de85cfe1cd8a0eb6c1ea1b666bdcb10f Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Wed, 14 May 2025 08:36:25 -0400 Subject: [PATCH 2/3] Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Julian Thome --- templates/iac-kics-sast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/iac-kics-sast.yml b/templates/iac-kics-sast.yml index d570851..ab347cf 100644 --- a/templates/iac-kics-sast.yml +++ b/templates/iac-kics-sast.yml @@ -8,7 +8,7 @@ spec: excluded_paths: default: "spec, test, tests, tmp" excluded_analyzers: - default "" + default: "" image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" image_suffix: From 7626afb52028e74f561a52f2d2612890a02c2b5a Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Wed, 14 May 2025 08:45:50 -0400 Subject: [PATCH 3/3] image tag to 6 and replacing image prefix/suffix with simple image --- templates/iac-kics-sast.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/templates/iac-kics-sast.yml b/templates/iac-kics-sast.yml index ab347cf..3835b33 100644 --- a/templates/iac-kics-sast.yml +++ b/templates/iac-kics-sast.yml @@ -9,14 +9,12 @@ spec: default: "spec, test, tests, tmp" excluded_analyzers: default: "" - image_prefix: + analyzer_image: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" - image_suffix: - default: "" search_max_depth: default: 4 image_tag: - default: 5 + default: 6 --- iac-sast: @@ -38,7 +36,7 @@ iac-sast: kics-iac-sast: extends: iac-sast image: - name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" + name: "$[[ inputs.analyzer_image ]]/kics:$[[ inputs.image_tag ]]" rules: - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1' when: never