diff options
| author | dappelt <dappelt@gitlab.com> | 2019-08-06 18:28:02 +0300 |
|---|---|---|
| committer | dappelt <dappelt@gitlab.com> | 2019-08-16 16:41:23 +0300 |
| commit | a64ceb6da9b5f476ee774a5939f5b41a16d42b5d (patch) | |
| tree | ed030942f6b2a4316e943cd2c19468f32ca4b62c | |
| parent | c0371fa2102ae0a5d20abe28e8287464c4df7b58 (diff) | |
squash me
| -rw-r--r-- | .gitlab/ci/dast.gitlab-ci.yml | 70 |
1 files changed, 48 insertions, 22 deletions
diff --git a/.gitlab/ci/dast.gitlab-ci.yml b/.gitlab/ci/dast.gitlab-ci.yml index 232ab86db4d..a146b3a9b36 100644 --- a/.gitlab/ci/dast.gitlab-ci.yml +++ b/.gitlab/ci/dast.gitlab-ci.yml @@ -1,31 +1,57 @@ -dast: +# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/dependency_scanning.html +# +# Configure the scanning tool through the environment variables. +# List of the variables: https://gitlab.com/gitlab-org/security-products/dependency-scanning#settings +# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables + +dependency_scanning: stage: dast - image: - name: "registry.gitlab.com/gitlab-org/security-products/dast:$CI_SERVER_VERSION_MAJOR-$CI_SERVER_VERSION_MINOR-stable" + image: docker:stable variables: - # URL to scan: - # DAST_WEBSITE: https://example.com/ - # - # Time limit for target availability (scan is attempted even when timeout): - # DAST_TARGET_AVAILABILITY_TIMEOUT: 60 - # - # Set these variables to scan with an authenticated user: - # DAST_AUTH_URL: https://example.com/sign-in - # DAST_USERNAME: john.doe@example.com - # DAST_PASSWORD: john-doe-password - # DAST_USERNAME_FIELD: session[user] # the name of username field at the sign-in HTML form - # DAST_PASSWORD_FIELD: session[password] # the name of password field at the sign-in HTML form - # DAST_AUTH_EXCLUDE_URLS: http://example.com/sign-out,http://example.com/sign-out-2 # optional: URLs to skip during the authenticated scan; comma-separated, no spaces in between - # - # Perform ZAP Full Scan, which includes both passive and active scanning: - # DAST_FULL_SCAN_ENABLED: "true" + DOCKER_DRIVER: overlay2 + DOCKER_TLS_CERTDIR: "" allow_failure: true + services: + - docker:stable-dind script: - - export DAST_WEBSITE=${DAST_WEBSITE:-$(cat review_app_url.txt)} - - /analyze -t $DAST_WEBSITE + - export DAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')} + - | + if ! docker info &>/dev/null; then + if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then + export DOCKER_HOST='tcp://localhost:2375' + fi + fi + - | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage + function propagate_env_vars() { + CURRENT_ENV=$(printenv) + + for VAR_NAME; do + echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME " + done + } + - | + docker run \ + $(propagate_env_vars \ + DS_ANALYZER_IMAGES \ + DS_ANALYZER_IMAGE_PREFIX \ + DS_ANALYZER_IMAGE_TAG \ + DS_DEFAULT_ANALYZERS \ + DS_EXCLUDED_PATHS \ + DEP_SCAN_DISABLE_REMOTE_CHECKS \ + DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \ + DS_PULL_ANALYZER_IMAGE_TIMEOUT \ + DS_RUN_ANALYZER_TIMEOUT \ + DS_PYTHON_VERSION \ + DS_PIP_DEPENDENCY_PATH \ + PIP_INDEX_URL \ + PIP_EXTRA_INDEX_URL \ + ) \ + --volume /var/run/docker.sock:/var/run/docker.sock \ + "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION" /analyze artifacts: reports: - dast: gl-dast-report.json + dependency_scanning: gl-dependency-scanning-report.json + dependencies: [] only: refs: - branches |