# Component created based on GitLab's IAC SAST Scanning template
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/

spec:
    inputs:
        stage:
            default: test
        excluded_paths:
            default: "spec, test, tests, tmp"
        excluded_analyzers:
            default: ""
        analyzer_image:
            default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
        search_max_depth:
            default: 4
        image_tag:
            default: 6

---
iac-sast:
  stage: $[[ inputs.stage ]]
  artifacts:
    access: 'developer'
    reports:
      sast: gl-sast-report.json
  rules:
    - when: never
  # `rules` must be overridden explicitly by each child job
  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
  variables:
    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
  allow_failure: true
  script:
    - /analyzer run

kics-iac-sast:
  extends: iac-sast
  image:
    name: "$[[ inputs.analyzer_image ]]/kics:$[[ inputs.image_tag ]]"
  rules:
    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
      when: never
    - if: $[[ inputs.excluded_analyzers ]] =~ /kics/
      when: never
    - if: $CI_COMMIT_BRANCH