vor/sast
1
0
Fork 0
mirror of https://gitlab.com/components/sast.git synced 2025-06-30 07:28:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
sast/README.md
Rob Jackson fc17b60e0e fixing checkboxes in table
2025-05-26 12:50:52 -04:00

3.6 KiB
Raw Blame History

SAST (Static Application Security Testing)

This project provides componnets for the use of Static Application Security Testing as well as Infrastructure as Code testing. Configuration for either component may be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/).

More information about GitLab SAST is available within GitLab documentation (https://docs.gitlab.com/ee/user/application_security/sast/), along with the available variables (https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables).

More information about GitLab Infrastructure as Code scanning is available within GitLab documentation (https://docs.gitlab.com/user/application_security/iac_scanning/).

Usage

You should add this component to an existing .gitlab-ci.yml file by using the include: keyword.

include:
  - component: gitlab.com/components/sast/sast@<VERSION> # To include SAST Scanning
  - component: gitlab.com/components/sast/iac-sast@<VERSION> # To include IaC Scanning

where <VERSION> is the latest released tag or main.

If you are converting the configuration to use components and want to leverage the existing variable $SAST_DISABLED you could conditionally include the component using the variable:

include:
  - component: gitlab.com/components/sast/sast@main
    rules:
      - if: $SAST_DISABLED == "true" || $SAST_DISABLED == "1"
        when: never
      - when: always

Otherwise all SAST jobs will always run when applicable.

This assumes SAST_DISABLED variable is already defined in .gitlab-ci.yml with either 'true' or '1' as the value.

Inputs

Input Default value Description SAST IaC
stage test The stage where you want the job to be added ✔️ Yes ✔️ Yes
image_prefix $CI_TEMPLATE_REGISTRY_HOST/security-products Define where all Docker image are pulled from ✔️ Yes ✔️ Yes
image_tag 4 Tag of the Docker image to use ✔️ Yes ✔️ Yes
image_suffix "" Suffix added to image. If set to -fips, FIPS-enabled images are used for scan. Only used by semgrep analyzer ✔️ Yes ✔️ Yes, no FIPS support for IaC
excluded_analyzers "" Comma separated list of analyzers that should not run ✔️ Yes No
excluded_paths "spec, test, tests, tmp" Comma separated list of paths to exclude ✔️ Yes ✔️ Yes
search_max_depth 4 Defines how many directory levels the search for programming languages should span ✔️ Yes ✔️ Yes
run_kubesec_sast "false" Set it to "true" to run kubesec-sast job ✔️ Yes No
run_advanced_sast false Set it to true to enable GitLab Advanced SAST ✔️ Yes No
include_experimental "false" Set it to "true" to enable experimental analyzers ✔️ Yes No

Contribute

Please read about CI/CD components and best practices at: https://docs.gitlab.com/ee/ci/components