Merge branch 'iac-kics-sast' into 'main'

Added KICS IaC Scanner See merge request components/sast!23
adding image suffix to keep inputs whole
2025-07-04 01:08:28 +02:00 · 2025-05-20 22:10:24 -04:00 · 2025-05-20 22:10:19 -04:00 · 2025-05-20 22:04:22 -04:00 · 2025-05-20 22:03:35 -04:00 · 2025-04-29 17:28:17 +10:00
2 changed files with 18 additions and 17 deletions
--- a/templates/iac-kics-sast.yml
+++ b/templates/iac-kics-sast.yml
@ -9,34 +9,29 @@ spec:
            default: "spec, test, tests, tmp"
        excluded_analyzers:
            default: ""
-        analyzer_image:
+        image_prefix:
            default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
        image_suffix:
            dafault: ""
        search_max_depth:
            default: 4
        image_tag:
            default: 6
 ---
-iac-sast:
+kics-iac-sast:
  stage: $[[ inputs.stage ]]
  image:
    name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
  variables:
    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
  script:
    - /analyzer run
  artifacts:
    access: 'developer'
    reports:
      sast: gl-sast-report.json
  rules:
    - when: never
  # `rules` must be overridden explicitly by each child job
  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
  variables:
    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
  allow_failure: true
  script:
    - /analyzer run
 kics-iac-sast:
  extends: iac-sast
  image:
    name: "$[[ inputs.analyzer_image ]]/kics:$[[ inputs.image_tag ]]"
  rules:
    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
      when: never
--- a/templates/sast.yml
+++ b/templates/sast.yml
@ -5,7 +5,7 @@ spec:
    image_prefix:
      default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
    image_tag:
-      default: '5'
+      default: '6'
    image_suffix:
      default: ""
    excluded_analyzers:
@ -53,8 +53,14 @@ gitlab-advanced-sast:
  image:
    name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]"
  variables:
-    SAST_ANALYZER_IMAGE_TAG: 1
+    SAST_ANALYZER_IMAGE_TAG: 2
    SEARCH_MAX_DEPTH: 20
  cache:
    key: "scan-metrics-$CI_COMMIT_REF_SLUG"
    fallback_keys:
      - "scan-metrics-$CI_DEFAULT_BRANCH"
    paths:
      - "scan_metrics.csv"
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/'
      when: never
Author	SHA1	Message	Date
Rob Jackson	4b2733b8f2	Merge branch 'iac-kics-sast' into 'main' Added KICS IaC Scanner See merge request components/sast!23	2025-05-20 22:10:24 -04:00
Rob Jackson	40ec68512d	adding image suffix to keep inputs whole	2025-05-20 22:10:19 -04:00
Rob Jackson	cf87e0da38	Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Adam Cohen <acohen@gitlab.com>	2025-05-20 22:04:22 -04:00
Rob Jackson	2a492122e2	Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Adam Cohen <acohen@gitlab.com>	2025-05-20 22:03:35 -04:00
Hua Yan	5758da0696	Merge branch 'hyan/glas-multicore' into 'main' Support profiling via cache for GLAS multicore workload balancing See merge request components/sast!22	2025-04-29 17:28:17 +10:00
Thiago Figueiró	7f7984b96d	Merge branch 'hyan/sast-18.0' into 'main' Bump SAST analyser major version for 18.0 See merge request components/sast!24	2025-04-28 13:49:41 +10:00
hyan@gitlab.com	70e2583135	Bump analyser versions for 18.0	2025-04-28 13:30:50 +10:00
Hua Yan	8c5526b0f4	Set path as "scan_metrics.csv"	2025-04-23 13:01:09 +10:00
hyan@gitlab.com	4ea446f709	Improve cache	2025-04-08 10:57:15 +10:00
hyan@gitlab.com	c6ea9d4f34	Test GLAS multicore	2025-04-04 11:29:31 +11:00
hyan@gitlab.com	446d4146f5	Test GLAS multicore	2025-04-04 10:51:29 +11:00