diff options
author | Justin Tobler <jtobler@gitlab.com> | 2022-10-10 23:28:38 +0300 |
---|---|---|
committer | Justin Tobler <jtobler@gitlab.com> | 2022-10-10 23:28:38 +0300 |
commit | 798d444e513abe0092234a2295fc00b06c432862 (patch) | |
tree | 43cad8be0d727ea36a5b5d2a27884b2c4bf1367a | |
parent | 988417a6808a9096745326ac1530f5c621b7fce1 (diff) | |
parent | 6836fc090ab8f0f8987ccc8547510320262b4d51 (diff) |
Merge branch 'wc/update-sast-ci' into 'master'
Update SAST to use Semgrep instead of Gosec
See merge request https://gitlab.com/gitlab-org/gitaly/-/merge_requests/4913
Merged-by: Justin Tobler <jtobler@gitlab.com>
Approved-by: Philippe Lafoucrière <plafoucriere@gitlab.com>
Approved-by: Justin Tobler <jtobler@gitlab.com>
Co-authored-by: Will Chandler <wchandler@gitlab.com>
-rw-r--r-- | .gitlab-ci.yml | 16 |
1 files changed, 1 insertions, 15 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 30485d951..078861eb9 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -11,8 +11,6 @@ default: variables: FF_USE_FASTZIP: "true" FF_NETWORK_PER_BUILD: "true" - SAST_DISABLE_DIND: "true" - SAST_DEFAULT_ANALYZERS: "gosec" DEBIAN_VERSION: "bullseye" UBI_VERSION: "8.6" # We use Gitaly's Git version by default. @@ -331,22 +329,10 @@ dbschema: - _support/praefect-schema.sql when: on_failure -gosec-sast: +semgrep-sast: needs: [] cache: - *cache_go_configuration - variables: - GOPATH: "/go" - before_script: - # Our pipeline places GOPATH to $CI_PROJECT_DIR/.go so it can be cached. - # This causes gosec-sast to find the module cache and scan all the sources of - # the dependencies as well. This makes the scan time grow massively. This is - # avoided by this job moving the GOPATH outside of the project directory along - # with the cached modules if they were successfully extracted. - # - # SAST_EXCLUDED_PATHS is not sufficient as it only filters out the results but - # still performs the expensive scan. - - if [ -d .go ]; then mv .go $GOPATH; fi rules: - if: $SAST_DISABLED when: never |