4.1 KiB
This project provides components for the use of Static Application Security Testing as well as Infrastructure as Code scanning.
[[TOC]]
Static Application Security Testing (SAST)
Documentation References
Configuration for SAST can be performed through CI/CD Variables or via the definition of Inputs.
More information about GitLab SAST is available within GitLab documentation, along with the available variables.
Usage
You should add this component to an existing .gitlab-ci.yml file by using the include:
keyword.
include:
- component: gitlab.com/components/sast/sast@<VERSION>
where <VERSION> is the latest released tag or main.
If you are converting the configuration to use components and want to leverage the existing variable $SAST_DISABLED you could conditionally include the component using the variable:
include:
- component: gitlab.com/components/sast/sast@main
rules:
- if: $SAST_DISABLED == "true" || $SAST_DISABLED == "1"
when: never
- when: always
Otherwise all SAST jobs will always run when applicable.
This assumes SAST_DISABLED variable is already defined in .gitlab-ci.yml with either 'true' or '1' as the value.
Inputs
| Input | Default value | Description |
|---|---|---|
stage |
test |
The stage where you want the job to be added |
image_prefix |
$CI_TEMPLATE_REGISTRY_HOST/security-products |
Define where all Docker image are pulled from |
image_tag |
4 |
Tag of the Docker image to use |
image_suffix |
"" |
Suffix added to image. If set to -fips, FIPS-enabled images are used for scan. Only used by semgrep analyzer |
excluded_analyzers |
"" |
Comma separated list of analyzers that should not run |
excluded_paths |
"spec, test, tests, tmp" |
Comma separated list of paths to exclude |
search_max_depth |
4 |
Defines how many directory levels the search for programming languages should span |
run_kubesec_sast |
"false" |
Set it to "true" to run kubesec-sast job |
run_advanced_sast |
false |
Set it to true to enable GitLab Advanced SAST |
ff_glas_enable_php_support |
"true" |
Set it to "false" to disable PHP support for GLAS |
Infrastructure as Code (IaC) Scanning
Documentation References
Configuration for IaC scanning can be performed through CI/CD Variables or via the definition of Inputs.
More information about GitLab Infrastructure as Code scanning is available within GitLab documentation.
Usage
You should add this component to an existing .gitlab-ci.yml file by using the include:
keyword.
include:
- component: gitlab.com/components/sast/iac-sast@<VERSION>
where <VERSION> is the latest released tag or main.
Inputs
| Input | Default value | Description |
|---|---|---|
stage |
test |
The stage where you want the job to be added |
image_prefix |
$CI_TEMPLATE_REGISTRY_HOST/security-products |
Define where all Docker image are pulled from |
image_tag |
6 |
Tag of the Docker image to use |
image_suffix |
"" |
Suffix added to image. |
excluded_paths |
"spec, test, tests, tmp" |
Comma separated list of paths to exclude |
search_max_depth |
4 |
Defines how many directory levels the search for programming languages should span |
Contribute
Please read about CI/CD components and best practices at: https://docs.gitlab.com/ee/ci/components