vor/sast
1
0
Fork 0
mirror of https://gitlab.com/components/sast.git synced 2025-06-30 07:28:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
Static Application Security Testing (SAST) checks your source code for known vulnerabilities.
81 commits 5 branches 11 tags 205 KiB
Find a file
Rob Jackson 81caeb7959 fix typo
2025-05-26 12:54:10 -04:00
src/ruby_gem Add .gitlab-ci.yml and test Ruby app 2023-05-03 17:02:09 +01:00
templates renamed iac-sast file, removed disabled flag. Added more description in readme and adjusted table for SAST and IaC 2025-05-26 12:05:24 -04:00
.gitlab-ci.yml Run a couple of jobs only on Gitlab.com 2024-06-25 18:22:33 +02:00
LICENSE Add LICENSE 2025-01-27 10:26:44 +01:00
logo.png Update file logo.png 2023-12-12 15:08:09 +00:00
README.md fix typo 2025-05-26 12:54:10 -04:00

README.md

SAST (Static Application Security Testing)

This project provides componnets for the use of Static Application Security Testing as well as Infrastructure as Code testing. Configuration for either component may be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/).

More information about GitLab SAST is available within GitLab documentation (https://docs.gitlab.com/ee/user/application_security/sast/), along with the available variables (https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables).

More information about GitLab Infrastructure as Code scanning is available within GitLab documentation (https://docs.gitlab.com/user/application_security/iac_scanning/).

Usage

You should add this component to an existing .gitlab-ci.yml file by using the include: keyword.

include:
  - component: gitlab.com/components/sast/sast@<VERSION> # To include SAST Scanning
  - component: gitlab.com/components/sast/iac-sast@<VERSION> # To include IaC Scanning

where <VERSION> is the latest released tag or main.

If you are converting the configuration to use components and want to leverage the existing variable $SAST_DISABLED you could conditionally include the component using the variable:

include:
  - component: gitlab.com/components/sast/sast@main
    rules:
      - if: $SAST_DISABLED == "true" || $SAST_DISABLED == "1"
        when: never
      - when: always

Otherwise all SAST jobs will always run when applicable.

This assumes SAST_DISABLED variable is already defined in .gitlab-ci.yml with either 'true' or '1' as the value.

Inputs

Input Default value Description SAST IaC
stage test The stage where you want the job to be added Yes Yes
image_prefix $CI_TEMPLATE_REGISTRY_HOST/security-products Define where all Docker image are pulled from Yes Yes
image_tag 4 Tag of the Docker image to use Yes Yes
image_suffix "" Suffix added to image. If set to -fips, FIPS-enabled images are used for scan. Only used by semgrep analyzer Yes Yes, no FIPS support for IaC
excluded_analyzers "" Comma separated list of analyzers that should not run Yes No
excluded_paths "spec, test, tests, tmp" Comma separated list of paths to exclude Yes Yes
search_max_depth 4 Defines how many directory levels the search for programming languages should span Yes Yes
run_kubesec_sast "false" Set it to "true" to run kubesec-sast job Yes No
run_advanced_sast false Set it to true to enable GitLab Advanced SAST Yes No
include_experimental "false" Set it to "true" to enable experimental analyzers Yes No

Contribute

Please read about CI/CD components and best practices at: https://docs.gitlab.com/ee/ci/components