vor/sast
1
0
Fork 0
mirror of https://gitlab.com/components/sast.git synced 2025-07-03 00:38:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
sast/template.yml
Fabio Pitino 8956444fcb Replace excluded analyzers var with input
2023-05-03 10:42:29 +01:00

244 lines
6.1 KiB
YAML
Raw Blame History

spec:
inputs:
stage:
default: test
image_prefix:
default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
image_suffix:
default: ""
excluded_analyzers:
default: ""
---
.sast-analyzer:
stage: $[[ inputs.stage ]]
allow_failure: true
# `rules` must be overridden explicitly by each child job
# see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
variables:
SEARCH_MAX_DEPTH: 4
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
SCAN_KUBERNETES_MANIFESTS: "false"
script:
- /analyzer run
artifacts:
reports:
sast: gl-sast-report.json
brakeman-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/brakeman:$SAST_ANALYZER_IMAGE_TAG"
rules:
- if: $SAST_DISABLED
when: never
- if: '"$[ inputs.excluded_analyzers ]" =~ /brakeman/'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.rb'
- '**/Gemfile'
flawfinder-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
rules:
- if: $SAST_DISABLED
when: never
- if: '"$[ inputs.excluded_analyzes ]" =~ /flawfinder/'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.c'
- '**/*.cc'
- '**/*.cpp'
- '**/*.c++'
- '**/*.cp'
- '**/*.cxx'
kubesec-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/kubesec:$SAST_ANALYZER_IMAGE_TAG"
rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/'
when: never
- if: $CI_COMMIT_BRANCH &&
$SCAN_KUBERNETES_MANIFESTS == 'true'
.mobsf-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/mobsf:$SAST_ANALYZER_IMAGE_TAG"
mobsf-android-sast:
extends: .mobsf-sast
rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/'
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_EXPERIMENTAL_FEATURES == 'true'
exists:
- '**/*.apk'
- '**/AndroidManifest.xml'
mobsf-ios-sast:
extends: .mobsf-sast
rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/'
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_EXPERIMENTAL_FEATURES == 'true'
exists:
- '**/*.ipa'
- '**/*.xcodeproj/*'
nodejs-scan-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /nodejs-scan/'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/package.json'
phpcs-security-audit-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /phpcs-security-audit/'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.php'
pmd-apex-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.cls'
security-code-scan-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE_TAG: '3'
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /security-code-scan/'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.csproj'
- '**/*.vbproj'
semgrep-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
SEARCH_MAX_DEPTH: 20
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/semgrep:$SAST_ANALYZER_IMAGE_TAG$[[ inputs.image_suffix ]]"
rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.py'
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
- '**/*.c'
- '**/*.go'
- '**/*.java'
- '**/*.cs'
- '**/*.html'
- '**/*.scala'
- '**/*.sc'
sobelow-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/sobelow:$SAST_ANALYZER_IMAGE_TAG"
rules:
- if: $SAST_DISABLED
when: never
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /sobelow/'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/mix.exs'
spotbugs-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$[[ inputs.image_prefix ]]/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /spotbugs/'
when: never
- if: $SAST_EXPERIMENTAL_FEATURES == 'true'
exists:
- '**/AndroidManifest.xml'
when: never
- if: $SAST_DISABLED
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.groovy'
- '**/*.scala'
- '**/*.kt'
Reference in a new issue View git blame Copy permalink