# Component created based on GitLab's IAC SAST Scanning template
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/

spec:
    inputs:
        stage:
            default: test
        excluded_paths:
            default: "spec, test, tests, tmp"
        excluded_analyzers:
            default: ""
        image_prefix:
            default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
        image_suffix:
            default: ""
        search_max_depth:
            default: 4
        image_tag:
            default: 6

---
kics-iac-sast:
  stage: $[[ inputs.stage ]]
  image:
    name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
  variables:
    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
  script:
    - /analyzer run
  artifacts:
    access: 'developer'
    reports:
      sast: gl-sast-report.json
  allow_failure: true
  rules:
    - if: $[[ inputs.excluded_analyzers ]] =~ /kics/
      when: never
    - if: $CI_COMMIT_BRANCH