spec: inputs: stage: default: test image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" image_suffix: default: "" --- .sast-analyzer: stage: $[[ inputs.stage ]] allow_failure: true # `rules` must be overridden explicitly by each child job # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444 variables: SEARCH_MAX_DEPTH: 4 SAST_EXCLUDED_ANALYZERS: "" SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" SCAN_KUBERNETES_MANIFESTS: "false" script: - /analyzer run artifacts: reports: sast: gl-sast-report.json brakeman-sast: extends: .sast-analyzer image: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/brakeman:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never - if: $SAST_EXCLUDED_ANALYZERS =~ /brakeman/ when: never - if: $CI_COMMIT_BRANCH exists: - '**/*.rb' - '**/Gemfile' flawfinder-sast: extends: .sast-analyzer image: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/flawfinder:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never - if: $SAST_EXCLUDED_ANALYZERS =~ /flawfinder/ when: never - if: $CI_COMMIT_BRANCH exists: - '**/*.c' - '**/*.cc' - '**/*.cpp' - '**/*.c++' - '**/*.cp' - '**/*.cxx' kubesec-sast: extends: .sast-analyzer image: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/kubesec:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never - if: $SAST_EXCLUDED_ANALYZERS =~ /kubesec/ when: never - if: $CI_COMMIT_BRANCH && $SCAN_KUBERNETES_MANIFESTS == 'true' .mobsf-sast: extends: .sast-analyzer image: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/mobsf:$SAST_ANALYZER_IMAGE_TAG" mobsf-android-sast: extends: .mobsf-sast rules: - if: $SAST_DISABLED when: never - if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/ when: never - if: $CI_COMMIT_BRANCH && $SAST_EXPERIMENTAL_FEATURES == 'true' exists: - '**/*.apk' - '**/AndroidManifest.xml' mobsf-ios-sast: extends: .mobsf-sast rules: - if: $SAST_DISABLED when: never - if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/ when: never - if: $CI_COMMIT_BRANCH && $SAST_EXPERIMENTAL_FEATURES == 'true' exists: - '**/*.ipa' - '**/*.xcodeproj/*' nodejs-scan-sast: extends: .sast-analyzer image: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never - if: $SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/ when: never - if: $CI_COMMIT_BRANCH exists: - '**/package.json' phpcs-security-audit-sast: extends: .sast-analyzer image: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never - if: $SAST_EXCLUDED_ANALYZERS =~ /phpcs-security-audit/ when: never - if: $CI_COMMIT_BRANCH exists: - '**/*.php' pmd-apex-sast: extends: .sast-analyzer image: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/pmd-apex:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never - if: $SAST_EXCLUDED_ANALYZERS =~ /pmd-apex/ when: never - if: $CI_COMMIT_BRANCH exists: - '**/*.cls' security-code-scan-sast: extends: .sast-analyzer image: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: '3' SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/security-code-scan:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never - if: $SAST_EXCLUDED_ANALYZERS =~ /security-code-scan/ when: never - if: $CI_COMMIT_BRANCH exists: - '**/*.csproj' - '**/*.vbproj' semgrep-sast: extends: .sast-analyzer image: name: "$SAST_ANALYZER_IMAGE" variables: SEARCH_MAX_DEPTH: 20 SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/semgrep:$SAST_ANALYZER_IMAGE_TAG$[[ inputs.image_suffix ]]" rules: - if: $SAST_DISABLED when: never - if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/ when: never - if: $CI_COMMIT_BRANCH exists: - '**/*.py' - '**/*.js' - '**/*.jsx' - '**/*.ts' - '**/*.tsx' - '**/*.c' - '**/*.go' - '**/*.java' - '**/*.cs' - '**/*.html' - '**/*.scala' - '**/*.sc' sobelow-sast: extends: .sast-analyzer image: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/sobelow:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_DISABLED when: never - if: $SAST_EXCLUDED_ANALYZERS =~ /sobelow/ when: never - if: $CI_COMMIT_BRANCH exists: - '**/mix.exs' spotbugs-sast: extends: .sast-analyzer image: name: "$SAST_ANALYZER_IMAGE" variables: SAST_ANALYZER_IMAGE_TAG: 3 SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/spotbugs:$SAST_ANALYZER_IMAGE_TAG" rules: - if: $SAST_EXCLUDED_ANALYZERS =~ /spotbugs/ when: never - if: $SAST_EXPERIMENTAL_FEATURES == 'true' exists: - '**/AndroidManifest.xml' when: never - if: $SAST_DISABLED when: never - if: $CI_COMMIT_BRANCH exists: - '**/*.groovy' - '**/*.scala' - '**/*.kt'