# Component created based on GitLab's IAC SAST Scanning template # Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/ spec: inputs: stage: default: test excluded_paths: default: "spec, test, tests, tmp" excluded_analyzers: default: "" image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" image_suffix: default: "" search_max_depth: default: 4 image_tag: default: 5 --- iac-sast: stage: $[[ inputs.stage ]] artifacts: access: 'developer' reports: sast: gl-sast-report.json rules: - when: never # `rules` must be overridden explicitly by each child job # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444 variables: SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] allow_failure: true script: - /analyzer run kics-iac-sast: extends: iac-sast image: name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" rules: - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1' when: never - if: $[[ inputs.excluded_analyzers ]] =~ /kics/ when: never - if: $CI_COMMIT_BRANCH