vor/sast
1
0
Fork 0
mirror of https://gitlab.com/components/sast.git synced 2025-07-03 08:48:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: vor:cc19beb6b6accc70093cea35021aafbf21ed30cf
Branches Tags
vor:main
vor:add-clangsa
vor:remove-inputs-from-readme
vor:514659-enable-gitlab-advanced-sast-by-default
vor:advanced-sast
vor:3.0.0
vor:2.1.0
vor:2.0.2
vor:2.0.1
vor:2.0.0
vor:1.1.2
vor:1.1.1
vor:1.1.0
vor:1.0.1
vor:1.0
vor:0.1
..
compare: vor:312da6bf5a8cb5ed1f674fbb9480a7094e3bca25
Branches Tags
vor:add-clangsa
vor:main
vor:remove-inputs-from-readme
vor:514659-enable-gitlab-advanced-sast-by-default
vor:advanced-sast
vor:3.0.0
vor:2.1.0
vor:2.0.2
vor:2.0.1
vor:2.0.0
vor:1.1.2
vor:1.1.1
vor:1.1.0
vor:1.0.1
vor:1.0
vor:0.1

No commits in common. "cc19beb6b6accc70093cea35021aafbf21ed30cf" and "312da6bf5a8cb5ed1f674fbb9480a7094e3bca25" have entirely different histories.
cc19beb6b6 ... 312da6bf5a

1 changed files with 24 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

52
templates/sast.yml
View file

@ -21,29 +21,15 @@ spec:
type: boolean type: boolean
include_experimental: include_experimental:
default: 'false' default: 'false'
enable_mr_pipelines:
default: false
type: boolean
ff_glas_enable_php_support: ff_glas_enable_php_support:
default: true default: true
type: boolean type: boolean
use_precompiled_artifacts:
description: Identifies whether pre-compiled artifacts will be provided or if compilation is required.
default: false
type: boolean
sast_dependencies:
description: The dependant jobs to wait for before running SAST jobs.
default: []
type: array
runner_tags:
description: The tags to apply to SAST jobs so they can be picked up by an appropriate GitLab runner
default: []
type: array
sast_java_version:
description: The Java version used by the SAST analyzer
default: 21
type: integer
--- ---
.sast-analyzer: .sast-analyzer:
stage: $[[ inputs.stage ]] stage: $[[ inputs.stage ]]
tags: $[[ inputs.runner_tags ]]
allow_failure: true allow_failure: true
# these variables are used by the analyzer # these variables are used by the analyzer
# TODO: propagate inputs when breaking down into separate components # TODO: propagate inputs when breaking down into separate components
@ -52,9 +38,6 @@ spec:
SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]] DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]]
SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS" SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS"
COMPILE: $[[ inputs.use_precompiled_artifacts ]]
SAST_JAVA_VERSION: $[[ inputs.sast_java_version | expand_vars ]]
dependencies: $[[ inputs.sast_dependencies ]]
script: script:
- /analyzer run - /analyzer run
artifacts: artifacts:
@ -142,6 +125,10 @@ spec:
- '**/application*.yaml' - '**/application*.yaml'
- '**/bootstrap*.yaml' - '**/bootstrap*.yaml'
.pmd-apex-exist-rules:
exists:
- '**/*.cls'
gitlab-advanced-sast: gitlab-advanced-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
@ -161,9 +148,6 @@ gitlab-advanced-sast:
when: never when: never
- if: '"$[[ inputs.run_advanced_sast ]]" != "true"' - if: '"$[[ inputs.run_advanced_sast ]]" != "true"'
when: never when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/
exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ $GITLAB_FEATURES =~ /\bsast_advanced\b/
exists: !reference [.gitlab-advanced-sast-exist-rules, exists] exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
@ -181,7 +165,6 @@ kubesec-sast:
rules: rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/' - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/'
when: never when: never
- if: '$CI_PIPELINE_SOURCE == "merge_request_event" && "$[[ inputs.run_kubesec_sast ]]" == "true"'
- if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"' - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"'
mobsf-android-sast: mobsf-android-sast:
@ -203,9 +186,23 @@ pmd-apex-sast:
rules: rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/' - if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/'
when: never when: never
# The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline*
# when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3
# to cover both the *MR pipeline* and the *branch pipeline* workflows.
# 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request.
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_PIPELINE_SOURCE == "merge_request_event"'
exists: !reference [.pmd-apex-exist-rules, exists]
# 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request.
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_OPEN_MERGE_REQUESTS'
when: never
# 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch).
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
exists: exists: !reference [.pmd-apex-exist-rules, exists]
- '**/*.cls'
security-code-scan-sast: security-code-scan-sast:
extends: .sast-analyzer extends: .sast-analyzer
@ -249,8 +246,6 @@ semgrep-sast:
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" == "true"' "$[[ inputs.run_advanced_sast ]]" == "true"'
when: never when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
exists: !reference [.semgrep-exist-rules, exists]
# Default case - run for all supported files # Default case - run for all supported files
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
exists: !reference [.semgrep-exist-rules, exists] exists: !reference [.semgrep-exist-rules, exists]
@ -277,7 +272,6 @@ spotbugs-sast:
exists: exists:
- '**/AndroidManifest.xml' - '**/AndroidManifest.xml'
when: never when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
exists: exists:
- '**/*.groovy' - '**/*.groovy'