diff options
author | Lucas Charles <me@lucascharles.me> | 2019-06-17 18:17:22 +0300 |
---|---|---|
committer | Lucas Charles <me@lucascharles.me> | 2019-06-17 18:49:57 +0300 |
commit | 6e69626bf43a8e67cf60165007cb3d9f9f2177ec (patch) | |
tree | 37efe876ac30c23dc27b71bfe8bb9fc7233c1b1c | |
parent | cfcdfdd2de6009e7ce55e6a415825a0eca75f0c9 (diff) |
Use SAST template within GitLab CI
-rw-r--r-- | .gitlab/ci/reports.gitlab-ci.yml | 45 |
1 files changed, 4 insertions, 41 deletions
diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml index d0e09dbf2f8..e0fcc1ed09f 100644 --- a/.gitlab/ci/reports.gitlab-ci.yml +++ b/.gitlab/ci/reports.gitlab-ci.yml @@ -1,5 +1,6 @@ include: - template: Code-Quality.gitlab-ci.yml + - template: Security/SAST.gitlab-ci.yml code_quality: extends: .dedicated-no-docs-no-db-pull-cache-job @@ -13,48 +14,10 @@ code_quality: SETUP_DB: "false" sast: - extends: .dedicated-no-docs-no-db-pull-cache-job - image: docker:stable - variables: - SAST_CONFIDENCE_LEVEL: 2 - DOCKER_DRIVER: overlay2 - allow_failure: true - tags: [] before_script: [] - cache: {} - dependencies: [] - services: - - docker:stable-dind - script: - - | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage - function propagate_env_vars() { - CURRENT_ENV=$(printenv) - - for VAR_NAME; do - echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME " - done - } - - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/') - - | - docker run \ - $(propagate_env_vars \ - SAST_ANALYZER_IMAGES \ - SAST_ANALYZER_IMAGE_PREFIX \ - SAST_ANALYZER_IMAGE_TAG \ - SAST_DEFAULT_ANALYZERS \ - SAST_BRAKEMAN_LEVEL \ - SAST_GOSEC_LEVEL \ - SAST_FLAWFINDER_LEVEL \ - SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \ - SAST_PULL_ANALYZER_IMAGE_TIMEOUT \ - SAST_RUN_ANALYZER_TIMEOUT \ - ) \ - --volume "$PWD:/code" \ - --volume /var/run/docker.sock:/var/run/docker.sock \ - "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code - artifacts: - reports: - sast: gl-sast-report.json + variables: + # Replaces .dedicated-no-docs-no-db-pull-cache-job + SETUP_DB: "false" dependency_scanning: extends: .dedicated-no-docs-no-db-pull-cache-job |