vor/sast
1
0
Fork 0
mirror of https://gitlab.com/components/sast.git synced 2025-06-30 15:38:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
sast/templates/sast.yml
Melissa Beldman 312da6bf5a Update file sast.yml
2025-06-03 16:52:05 +00:00

277 lines
8.2 KiB
YAML
Raw Blame History

spec:
inputs:
stage:
default: test
image_prefix:
default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
image_tag:
default: '6'
image_suffix:
default: ""
excluded_analyzers:
default: ""
excluded_paths:
default: "spec, test, tests, tmp"
search_max_depth:
default: '4'
run_kubesec_sast:
default: 'false'
run_advanced_sast:
default: false
type: boolean
include_experimental:
default: 'false'
enable_mr_pipelines:
default: false
type: boolean
ff_glas_enable_php_support:
default: true
type: boolean
---
.sast-analyzer:
stage: $[[ inputs.stage ]]
allow_failure: true
# these variables are used by the analyzer
# TODO: propagate inputs when breaking down into separate components
# E.g. SEARCH_MAX_DEPTH is overridden in some analyzers. We should pass the input instead.
variables:
SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]]
SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS"
script:
- /analyzer run
artifacts:
access: 'developer'
reports:
sast: gl-sast-report.json
.deprecated-16.8:
extends: .sast-analyzer
script:
- echo "This job was deprecated in GitLab 16.8 and removed in GitLab 17.0"
- echo "For more information see https://gitlab.com/gitlab-org/gitlab/-/issues/425085"
- exit 1
rules:
- when: never
.gitlab-advanced-sast-exist-rules:
exists:
- '**/*.py'
- '**/*.go'
- '**/*.java'
- '**/*.jsp'
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
- '**/*.cjs'
- '**/*.mjs'
- '**/*.cs'
- '**/*.rb'
- '**/*.php'
.semgrep-with-advanced-sast-exist-rules:
exists:
- '**/*.c'
- '**/*.cc'
- '**/*.cpp'
- '**/*.c++'
- '**/*.cp'
- '**/*.cxx'
- '**/*.h'
- '**/*.hpp'
- '**/*.scala'
- '**/*.sc'
- '**/*.php'
- '**/*.swift'
- '**/*.m'
- '**/*.kt'
- '**/*.properties'
- '**/application*.yml'
- '**/bootstrap*.yml'
- '**/application*.yaml'
- '**/bootstrap*.yaml'
.semgrep-exist-rules:
exists:
- '**/*.py'
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
- '**/*.c'
- '**/*.cc'
- '**/*.cpp'
- '**/*.c++'
- '**/*.cp'
- '**/*.cxx'
- '**/*.h'
- '**/*.hpp'
- '**/*.go'
- '**/*.java'
- '**/*.cs'
- '**/*.scala'
- '**/*.sc'
- '**/*.php'
- '**/*.swift'
- '**/*.m'
- '**/*.rb'
- '**/*.kt'
- '**/*.cjs'
- '**/*.mjs'
- '**/*.properties'
- '**/application*.yml'
- '**/bootstrap*.yml'
- '**/application*.yaml'
- '**/bootstrap*.yaml'
.pmd-apex-exist-rules:
exists:
- '**/*.cls'
gitlab-advanced-sast:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]"
variables:
FF_GLAS_ENABLE_PHP_SUPPORT: "$[[ inputs.ff_glas_enable_php_support ]]"
SAST_ANALYZER_IMAGE_TAG: 2
SEARCH_MAX_DEPTH: 20
cache:
key: "scan-metrics-$CI_COMMIT_REF_SLUG"
fallback_keys:
- "scan-metrics-$CI_DEFAULT_BRANCH"
paths:
- "scan_metrics.csv"
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/'
when: never
- if: '"$[[ inputs.run_advanced_sast ]]" != "true"'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/
exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
brakeman-sast:
extends: .deprecated-16.8
flawfinder-sast:
extends: .deprecated-16.8
kubesec-sast:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/kubesec:$[[ inputs.image_tag ]]"
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/'
when: never
- if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"'
mobsf-android-sast:
extends: .deprecated-16.8
mobsf-ios-sast:
extends: .deprecated-16.8
nodejs-scan-sast:
extends: .deprecated-16.8
phpcs-security-audit-sast:
extends: .deprecated-16.8
pmd-apex-sast:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/pmd-apex:$[[ inputs.image_tag ]]"
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/'
when: never
# The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline*
# when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3
# to cover both the *MR pipeline* and the *branch pipeline* workflows.
# 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request.
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_PIPELINE_SOURCE == "merge_request_event"'
exists: !reference [.pmd-apex-exist-rules, exists]
# 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request.
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_OPEN_MERGE_REQUESTS'
when: never
# 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch).
- if: $CI_COMMIT_BRANCH
exists: !reference [.pmd-apex-exist-rules, exists]
security-code-scan-sast:
extends: .sast-analyzer
script:
- echo "This job was deprecated in GitLab 15.9 and removed in GitLab 16.0"
- echo "For more information see https://gitlab.com/gitlab-org/gitlab/-/issues/390416"
- exit 1
rules:
- when: never
semgrep-sast:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/semgrep:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
variables:
SEARCH_MAX_DEPTH: 20
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
when: never
# When gitlab-advanced-sast runs with PHP support enabled, exclude the `*.php` extension, as well as other files already scanned by gitlab-advanced-sast
- if: '$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" == "true" &&
"$[[ inputs.ff_glas_enable_php_support ]]" == "true"'
variables:
SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb, **/*.php"
exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
# When gitlab-advanced-sast runs but PHP support is disabled, exclude files already scanned by gitlab-advanced-sast
- if: '$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" == "true" &&
"$[[ inputs.ff_glas_enable_php_support ]]" != "true"'
variables:
SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb"
exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
# Fallback when advanced SAST covers everything
- if: '$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" == "true"'
when: never
# Default case - run for all supported files
- if: $CI_COMMIT_BRANCH
exists: !reference [.semgrep-exist-rules, exists]
sobelow-sast:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/sobelow:$[[ inputs.image_tag ]]"
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /sobelow/'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/mix.exs'
spotbugs-sast:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/spotbugs:$[[ inputs.image_tag ]]"
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /spotbugs/'
when: never
- if: '"$[[ inputs.include_experimental ]]" == "true"'
exists:
- '**/AndroidManifest.xml'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.groovy'
Reference in a new issue View git blame Copy permalink