sast/README.md
2023-05-03 11:36:07 +01:00

49 lines
1.7 KiB
Markdown

## SAST (Static Application Security Testing)
Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/
Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables
## Usage
You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
keyword.
```yaml
include:
- component: gitlab.com/gitlab-components/sast@<VERSION>
```
where `<VERSION>` is the latest released tag or `main`.
### Inputs
| Input | Default value | Description |
| ----- | ------------- | ----------- |
| `stage` | `test` | The stage where you want the job to be added |
| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from |
| `image_tag` | `3` | Tag of the Docker image to use |
| `image_suffix` | `""` | Used by `semgrep-sast` job only |
| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run |
| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job |
### Variables
| Variable | Default value | Description |
| -------- | ------------- | ----------- |
| `SAST_DISABLED` | not set | Set to `true` to avoid running any SAST jobs |
### ToDos
- Move the use of `SAST_DISABLED` to the `include:`
```yaml
include:
- component: gitlab.com/gitlab-components/sast@main
inputs: { ... }
rules:
- if: $SAST_DISABLED != "true"
```