diff --git a/README.md b/README.md index ed7a4de..c797054 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,11 @@ +# SAST (Static Application Security Testing) -This project provides components for the use of Static Application Security Testing as well as Infrastructure as Code scanning. +Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/ -[[_TOC_]] +Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html). +List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables -## Static Application Security Testing (SAST) - -### Documentation References - -Configuration for SAST can be performed through [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of [Inputs](https://docs.gitlab.com/ci/inputs/). - -More information about GitLab SAST is available within [GitLab documentation](https://docs.gitlab.com/ee/user/application_security/sast/), along with the [available variables](https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables). - -### Usage +## Usage You should add this component to an existing `.gitlab-ci.yml` file by using the `include:` keyword. @@ -41,49 +35,19 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit ### Inputs | Input | Default value | Description | -| ----- | ------------- | ----------- | -| `stage` | `test` | The stage where you want the job to be added | -| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | -| `image_tag` | `4` | Tag of the Docker image to use | +| ----- | ------------- | ----------- | +| `stage` | `test` | The stage where you want the job to be added | +| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | +| `image_tag` | `4` | Tag of the Docker image to use | | `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | -| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | -| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | +| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | +| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | | `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | +| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | | `ff_glas_enable_php_support` | `"true"` | Set it to `"false"` to disable [PHP support for GLAS](https://gitlab.com/groups/gitlab-org/-/epics/14273) | -## Infrastructure as Code (IaC) Scanning - -### Documentation References - -Configuration for IaC scanning can be performed through [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of [Inputs](https://docs.gitlab.com/ci/inputs/). - -More information about GitLab Infrastructure as Code scanning is available within [GitLab documentation](https://docs.gitlab.com/user/application_security/iac_scanning/). - -### Usage - -You should add this component to an existing `.gitlab-ci.yml` file by using the `include:` -keyword. - -```yaml -include: - - component: gitlab.com/components/sast/iac-sast@ -``` - -where `` is the latest released tag or `main`. - -### Inputs - -| Input | Default value | Description | -| ----- | ------------- | ----------- | -| `stage` | `test` | The stage where you want the job to be added | -| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | -| `image_tag` | `6` | Tag of the Docker image to use | -| `image_suffix` | `""` | Suffix added to image. | -| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | -| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | - ## Contribute Please read about CI/CD components and best practices at: https://docs.gitlab.com/ee/ci/components diff --git a/templates/iac-sast.yml b/templates/iac-sast.yml deleted file mode 100644 index d657763..0000000 --- a/templates/iac-sast.yml +++ /dev/null @@ -1,38 +0,0 @@ -# Component created based on GitLab's IAC SAST Scanning template -# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/ - -spec: - inputs: - stage: - default: test - excluded_paths: - default: "spec, test, tests, tmp" - excluded_analyzers: - default: "" - image_prefix: - default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" - image_suffix: - dafault: "" - search_max_depth: - default: 4 - image_tag: - default: 6 - ---- -kics-iac-sast: - stage: $[[ inputs.stage ]] - image: - name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" - variables: - SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] - script: - - /analyzer run - artifacts: - access: 'developer' - reports: - sast: gl-sast-report.json - allow_failure: true - rules: - - if: $[[ inputs.excluded_analyzers ]] =~ /kics/ - when: never - - if: $CI_COMMIT_BRANCH