diff options
author | Marcel Amirault <mamirault@gitlab.com> | 2023-03-08 09:59:59 +0300 |
---|---|---|
committer | Sarah German <sgerman@gitlab.com> | 2023-03-09 20:59:50 +0300 |
commit | 2281285f5906858a787a64a8112db3c04bd85888 (patch) | |
tree | e600b710cffb201f986858ed762fb1868502d8f3 | |
parent | ace4d070b4a83a7aabd58c65f98e63c989bd0850 (diff) |
Update rules for templates
-rw-r--r-- | .gitlab/ci/security.gitlab-ci.yml | 33 | ||||
-rw-r--r-- | .gitlab/ci/test.gitlab-ci.yml | 9 |
2 files changed, 35 insertions, 7 deletions
diff --git a/.gitlab/ci/security.gitlab-ci.yml b/.gitlab/ci/security.gitlab-ci.yml index 53b1f94e..d58d030a 100644 --- a/.gitlab/ci/security.gitlab-ci.yml +++ b/.gitlab/ci/security.gitlab-ci.yml @@ -21,13 +21,25 @@ artifacts: expire_in: 1 month +.security-rules: + rules: + - if: '$DOCS_PROJECT_PIPELINE_TYPE == "Hourly site deployment pipeline"' + - if: '$DOCS_PROJECT_PIPELINE_TYPE =~ /^MR pipeline.*/' + - if: '$DOCS_PROJECT_PIPELINE_TYPE == "Default branch pipeline"' + - if: '$DOCS_PROJECT_PIPELINE_TYPE == "Stable branch pipeline"' + # # Dependency scanning job overrides # gemnasium-dependency_scanning: extends: - .ds-analyzer + - .cyclonedx-reports - .security-scanning-overrides + rules: + - if: $DEPENDENCY_SCANNING_DISABLED || $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/ + when: never + - !reference [".security-rules", "rules"] # # SAST job overrides @@ -36,30 +48,37 @@ brakeman-sast: extends: - .sast-analyzer - .security-scanning-overrides + rules: + - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1' || $SAST_EXCLUDED_ANALYZERS =~ /brakeman/ + when: never + - !reference [".security-rules", "rules"] nodejs-scan-sast: extends: - .sast-analyzer - .security-scanning-overrides + rules: + - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1' || $SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/ + when: never + - !reference [".security-rules", "rules"] semgrep-sast: extends: - .sast-analyzer - .security-scanning-overrides + rules: + - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1' || $SAST_EXCLUDED_ANALYZERS =~ /semgrep/ + when: never + - !reference [".security-rules", "rules"] # # Secret detection job overrides -# As per https://docs.gitlab.com/ee/user/application_security/#use-security-scanning-tools-with-merge-request-pipelines, -# overrides the rules to make it work in MR pipelines too. # secret_detection: extends: - .secret-analyzer - .security-scanning-overrides rules: - - if: $SECRET_DETECTION_DISABLED + - if: $SECRET_DETECTION_DISABLED == 'true' || $SECRET_DETECTION_DISABLED == '1' when: never - - if: '$DOCS_PROJECT_PIPELINE_TYPE == "Default branch pipeline"' - - if: '$DOCS_PROJECT_PIPELINE_TYPE =~ /^MR pipeline.*/' - script: - - /analyzer run + - !reference [".security-rules", "rules"] diff --git a/.gitlab/ci/test.gitlab-ci.yml b/.gitlab/ci/test.gitlab-ci.yml index 3749162b..afbc2dde 100644 --- a/.gitlab/ci/test.gitlab-ci.yml +++ b/.gitlab/ci/test.gitlab-ci.yml @@ -229,3 +229,12 @@ lint_dockerfiles: script: - apk add make - make hadolint-tests + +# +# Untamper job overrides +# +untamper-my-lockfile: + rules: + - if: '$DOCS_PROJECT_PIPELINE_TYPE =~ /^MR pipeline.*/' + changes: + - yarn.lock |