mirror of
https://gitlab.com/components/sast.git
synced 2025-06-30 15:38:29 +02:00
47 lines
1.3 KiB
YAML
47 lines
1.3 KiB
YAML
# Component created based on GitLab's IAC SAST Scanning template
|
|
# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/
|
|
|
|
spec:
|
|
inputs:
|
|
stage:
|
|
default: test
|
|
excluded_paths:
|
|
default: "spec, test, tests, tmp"
|
|
excluded_analyzers:
|
|
default: ""
|
|
image_prefix:
|
|
default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
|
|
image_suffix:
|
|
default: ""
|
|
search_max_depth:
|
|
default: 4
|
|
image_tag:
|
|
default: 5
|
|
|
|
---
|
|
iac-sast:
|
|
stage: $[[ inputs.stage ]]
|
|
artifacts:
|
|
access: 'developer'
|
|
reports:
|
|
sast: gl-sast-report.json
|
|
rules:
|
|
- when: never
|
|
# `rules` must be overridden explicitly by each child job
|
|
# see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
|
|
variables:
|
|
SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
|
|
allow_failure: true
|
|
script:
|
|
- /analyzer run
|
|
|
|
kics-iac-sast:
|
|
extends: iac-sast
|
|
image:
|
|
name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
|
|
rules:
|
|
- if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
|
|
when: never
|
|
- if: $[[ inputs.excluded_analyzers ]] =~ /kics/
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH
|