vor/sast
1
0
Fork 0
mirror of https://gitlab.com/components/sast.git synced 2025-06-30 15:38:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
sast/templates/sast.yml
Adam Cohen 71a6fafabb
Run GLAS by default
2025-03-03 21:19:01 +11:00

222 lines
6.3 KiB
YAML
Raw Blame History

spec:
inputs:
stage:
default: test
image_prefix:
default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
image_tag:
default: '5'
image_suffix:
default: ""
excluded_analyzers:
default: ""
excluded_paths:
default: "spec, test, tests, tmp"
search_max_depth:
default: '4'
run_kubesec_sast:
default: 'false'
run_advanced_sast:
default: true
type: boolean
include_experimental:
default: 'false'
---
.sast-analyzer:
stage: $[[ inputs.stage ]]
allow_failure: true
# these variables are used by the analyzer
# TODO: propagate inputs when breaking down into separate components
# E.g. SEARCH_MAX_DEPTH is overridden in some analyzers. We should pass the input instead.
variables:
SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]]
SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS"
script:
- /analyzer run
artifacts:
access: 'developer'
reports:
sast: gl-sast-report.json
.deprecated-16.8:
extends: .sast-analyzer
script:
- echo "This job was deprecated in GitLab 16.8 and removed in GitLab 17.0"
- echo "For more information see https://gitlab.com/gitlab-org/gitlab/-/issues/425085"
- exit 1
rules:
- when: never
gitlab-advanced-sast:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]"
variables:
SAST_ANALYZER_IMAGE_TAG: 1
SEARCH_MAX_DEPTH: 20
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/'
when: never
- if: '"$[[ inputs.run_advanced_sast ]]" == "false"'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/
exists:
# extensions that are only supported by gitlab-advanced-sast
- '**/*.jsp'
# extensions that are supported by both gitlab-advanced-sast and semgrep-sast
- '**/*.cjs'
- '**/*.cs'
- '**/*.go'
- '**/*.py'
- '**/*.java'
- '**/*.js'
- '**/*.jsx'
- '**/*.mjs'
- '**/*.rb'
- '**/*.ts'
- '**/*.tsx'
semgrep-sast:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/semgrep:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
variables:
SEARCH_MAX_DEPTH: 20
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
when: never
# In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast
- if: '$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" != "false"'
variables:
# don't scan any extensions that are supported by both gitlab-advanced-sast and semgrep-sast, since we assume
# that gitlab-advanced-sast has already scanned these file extensions
SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.cjs, **/*.cs, **/*.go, **/*.py, **/*.java, **/*.js, **/*.jsx, **/*.mjs, **/*.rb, **/*.ts, **/*.tsx"
exists:
# extensions that are only supported by semgrep-sast
- '**/*.c'
- '**/*.c++'
- '**/*.cc'
- '**/*.cp'
- '**/*.cpp'
- '**/*.cxx'
- '**/*.h'
- '**/*.hpp'
- '**/*.kt'
- '**/*.m'
- '**/*.php'
- '**/*.sc'
- '**/*.scala'
- '**/*.swift'
## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
- if: '$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" != "false"'
when: never
- if: $CI_COMMIT_BRANCH
exists:
# extensions that are supported by both gitlab-advanced-sast and semgrep-sast
- '**/*.cjs'
- '**/*.cs'
- '**/*.go'
- '**/*.py'
- '**/*.java'
- '**/*.js'
- '**/*.jsx'
- '**/*.mjs'
- '**/*.rb'
- '**/*.ts'
- '**/*.tsx'
# extensions that are only supported by semgrep-sast
- '**/*.c'
- '**/*.c++'
- '**/*.cc'
- '**/*.cp'
- '**/*.cpp'
- '**/*.cxx'
- '**/*.h'
- '**/*.hpp'
- '**/*.kt'
- '**/*.m'
- '**/*.php'
- '**/*.sc'
- '**/*.scala'
- '**/*.swift'
brakeman-sast:
extends: .deprecated-16.8
flawfinder-sast:
extends: .deprecated-16.8
kubesec-sast:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/kubesec:$[[ inputs.image_tag ]]"
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/'
when: never
- if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"'
mobsf-android-sast:
extends: .deprecated-16.8
mobsf-ios-sast:
extends: .deprecated-16.8
nodejs-scan-sast:
extends: .deprecated-16.8
phpcs-security-audit-sast:
extends: .deprecated-16.8
pmd-apex-sast:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/pmd-apex:$[[ inputs.image_tag ]]"
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.cls'
security-code-scan-sast:
extends: .sast-analyzer
script:
- echo "This job was deprecated in GitLab 15.9 and removed in GitLab 16.0"
- echo "For more information see https://gitlab.com/gitlab-org/gitlab/-/issues/390416"
- exit 1
rules:
- when: never
sobelow-sast:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/sobelow:$[[ inputs.image_tag ]]"
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /sobelow/'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/mix.exs'
spotbugs-sast:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/spotbugs:$[[ inputs.image_tag ]]"
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /spotbugs/'
when: never
- if: '"$[[ inputs.include_experimental ]]" == "true"'
exists:
- '**/AndroidManifest.xml'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.groovy'
Reference in a new issue View git blame Copy permalink