diff --git a/templates/sast.yml b/templates/sast.yml index 01786b5..d937e76 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -21,29 +21,15 @@ spec: type: boolean include_experimental: default: 'false' + enable_mr_pipelines: + default: false + type: boolean ff_glas_enable_php_support: default: true type: boolean - use_precompiled_artifacts: - description: Identifies whether pre-compiled artifacts will be provided or if compilation is required. - default: false - type: boolean - sast_dependencies: - description: The dependant jobs to wait for before running SAST jobs. - default: [] - type: array - runner_tags: - description: The tags to apply to SAST jobs so they can be picked up by an appropriate GitLab runner - default: [] - type: array - sast_java_version: - description: The Java version used by the SAST analyzer - default: 21 - type: integer --- .sast-analyzer: stage: $[[ inputs.stage ]] - tags: $[[ inputs.runner_tags ]] allow_failure: true # these variables are used by the analyzer # TODO: propagate inputs when breaking down into separate components @@ -52,9 +38,6 @@ spec: SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]] SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS" - COMPILE: $[[ inputs.use_precompiled_artifacts ]] - SAST_JAVA_VERSION: $[[ inputs.sast_java_version | expand_vars ]] - dependencies: $[[ inputs.sast_dependencies ]] script: - /analyzer run artifacts: @@ -142,6 +125,10 @@ spec: - '**/application*.yaml' - '**/bootstrap*.yaml' +.pmd-apex-exist-rules: + exists: + - '**/*.cls' + gitlab-advanced-sast: extends: .sast-analyzer image: @@ -161,9 +148,6 @@ gitlab-advanced-sast: when: never - if: '"$[[ inputs.run_advanced_sast ]]" != "true"' when: never - - if: $CI_PIPELINE_SOURCE == "merge_request_event" && - $GITLAB_FEATURES =~ /\bsast_advanced\b/ - exists: !reference [.gitlab-advanced-sast-exist-rules, exists] - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast_advanced\b/ exists: !reference [.gitlab-advanced-sast-exist-rules, exists] @@ -181,7 +165,6 @@ kubesec-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/' when: never - - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && "$[[ inputs.run_kubesec_sast ]]" == "true"' - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"' mobsf-android-sast: @@ -203,9 +186,23 @@ pmd-apex-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/' when: never + + # The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline* + # when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3 + # to cover both the *MR pipeline* and the *branch pipeline* workflows. + + # 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request. + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_PIPELINE_SOURCE == "merge_request_event"' + exists: !reference [.pmd-apex-exist-rules, exists] + + # 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request. + - if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" && + $CI_OPEN_MERGE_REQUESTS' + when: never + # 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch). - if: $CI_COMMIT_BRANCH - exists: - - '**/*.cls' + exists: !reference [.pmd-apex-exist-rules, exists] security-code-scan-sast: extends: .sast-analyzer @@ -249,9 +246,7 @@ semgrep-sast: "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && "$[[ inputs.run_advanced_sast ]]" == "true"' when: never - - if: $CI_PIPELINE_SOURCE == "merge_request_event" - exists: !reference [.semgrep-exist-rules, exists] - # Default case - run for all supported files + # Default case - run for all supported files - if: $CI_COMMIT_BRANCH exists: !reference [.semgrep-exist-rules, exists] @@ -277,7 +272,6 @@ spotbugs-sast: exists: - '**/AndroidManifest.xml' when: never - - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_COMMIT_BRANCH exists: - '**/*.groovy'