diff --git a/templates/iac-kics-sast.yml b/templates/iac-kics-sast.yml index 3835b33..ff6e530 100644 --- a/templates/iac-kics-sast.yml +++ b/templates/iac-kics-sast.yml @@ -9,34 +9,29 @@ spec: default: "spec, test, tests, tmp" excluded_analyzers: default: "" - analyzer_image: + image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" + image_suffix: + dafault: "" search_max_depth: default: 4 image_tag: default: 6 --- -iac-sast: +kics-iac-sast: stage: $[[ inputs.stage ]] + image: + name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" + variables: + SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] + script: + - /analyzer run artifacts: access: 'developer' reports: sast: gl-sast-report.json - rules: - - when: never - # `rules` must be overridden explicitly by each child job - # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444 - variables: - SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] allow_failure: true - script: - - /analyzer run - -kics-iac-sast: - extends: iac-sast - image: - name: "$[[ inputs.analyzer_image ]]/kics:$[[ inputs.image_tag ]]" rules: - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1' when: never diff --git a/templates/sast.yml b/templates/sast.yml index 6dad115..ccb3eec 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -5,7 +5,7 @@ spec: image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" image_tag: - default: '5' + default: '6' image_suffix: default: "" excluded_analyzers: @@ -53,8 +53,14 @@ gitlab-advanced-sast: image: name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]" variables: - SAST_ANALYZER_IMAGE_TAG: 1 + SAST_ANALYZER_IMAGE_TAG: 2 SEARCH_MAX_DEPTH: 20 + cache: + key: "scan-metrics-$CI_COMMIT_REF_SLUG" + fallback_keys: + - "scan-metrics-$CI_DEFAULT_BRANCH" + paths: + - "scan_metrics.csv" rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/' when: never