diff options
Diffstat (limited to '.gitlab/ci/reports.gitlab-ci.yml')
-rw-r--r-- | .gitlab/ci/reports.gitlab-ci.yml | 146 |
1 files changed, 42 insertions, 104 deletions
diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml index 4d54380cefe..0162996e3a9 100644 --- a/.gitlab/ci/reports.gitlab-ci.yml +++ b/.gitlab/ci/reports.gitlab-ci.yml @@ -1,120 +1,71 @@ -# include: -# - template: Jobs/Code-Quality.gitlab-ci.yml -# - template: Security/SAST.gitlab-ci.yml -# - template: Security/Dependency-Scanning.gitlab-ci.yml -# - template: Security/DAST.gitlab-ci.yml +include: + - template: Jobs/Code-Quality.gitlab-ci.yml + - template: Security/SAST.gitlab-ci.yml + - template: Security/Secret-Detection.gitlab-ci.yml + - template: Security/Dependency-Scanning.gitlab-ci.yml + - template: Security/License-Scanning.gitlab-ci.yml -# We need to duplicate this job's definition because the rules -# defined in the extended jobs rely on local YAML anchors -# (`*if-default-refs`) code_quality: extends: - .default-retry - - .reports:rules:code_quality - .use-docker-in-docker - stage: test - needs: [] - variables: - CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/ci-cd/codequality:0.85.23" - script: - - | - if ! docker info &>/dev/null; then - if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then - export DOCKER_HOST='tcp://localhost:2375' - fi - fi - - docker pull --quiet "$CODE_QUALITY_IMAGE" - - docker run - --env SOURCE_CODE="$PWD" - --volume "$PWD":/code - --volume /var/run/docker.sock:/var/run/docker.sock - "$CODE_QUALITY_IMAGE" /code artifacts: - reports: - codequality: gl-code-quality-report.json paths: - gl-code-quality-report.json # GitLab-specific - expire_in: 1 week # GitLab-specific + rules: !reference [".reports:rules:code_quality", rules] -# We need to duplicate this job's definition because the rules -# defined in the extended jobs rely on local YAML anchors -# (`*if-default-refs`) -.sast: +.sast-analyzer: + # We need to re-`extends` from `sast` as the `extends` here overrides the one from the template. extends: - .default-retry - - .reports:rules:sast - stage: test - # `needs: []` starts the job immediately in the pipeline - # https://docs.gitlab.com/ee/ci/yaml/README.html#needs + - sast needs: [] artifacts: paths: - gl-sast-report.json # GitLab-specific - reports: - sast: gl-sast-report.json expire_in: 1 week # GitLab-specific variables: - DOCKER_TLS_CERTDIR: "" - SAST_ANALYZER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers" - SAST_ANALYZER_IMAGE_TAG: 2 SAST_BRAKEMAN_LEVEL: 2 # GitLab-specific - SAST_EXCLUDED_PATHS: qa,spec,doc,ee/spec,config/gitlab.yml.example # GitLab-specific + SAST_EXCLUDED_PATHS: "qa, spec, doc, ee/spec, config/gitlab.yml.example, tmp" # GitLab-specific SAST_DISABLE_BABEL: "true" - script: - - /analyzer run brakeman-sast: - extends: .sast - image: - name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG" + rules: !reference [".reports:rules:sast", rules] eslint-sast: - extends: .sast - image: - name: "$SAST_ANALYZER_IMAGE_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG" + rules: !reference [".reports:rules:sast", rules] nodejs-scan-sast: - extends: .sast - image: - name: "$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG" + rules: !reference [".reports:rules:sast", rules] -secrets-sast: - extends: .sast - image: - name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:3" +semgrep-sast: + rules: !reference [".reports:rules:sast", rules] + +.secret-analyzer: + extends: .default-retry + needs: [] artifacts: paths: - gl-secret-detection-report.json # GitLab-specific - reports: - sast: gl-secret-detection-report.json expire_in: 1 week # GitLab-specific -# We need to duplicate this job's definition because the rules -# defined in the extended jobs rely on local YAML anchors -# (`*if-default-refs`) -.dependency_scanning: +secret_detection: + rules: !reference [".reports:rules:secret_detection", rules] + +.ds-analyzer: + # We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template. extends: - .default-retry - - .reports:rules:dependency_scanning - stage: test + - dependency_scanning needs: [] variables: - DS_MAJOR_VERSION: 2 - DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec" # GitLab-specific - SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers" + DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp" # GitLab-specific artifacts: paths: - gl-dependency-scanning-report.json # GitLab-specific - reports: - dependency_scanning: gl-dependency-scanning-report.json expire_in: 1 week # GitLab-specific - script: - - /analyzer run -dependency_scanning gemnasium: - extends: .dependency_scanning - image: - name: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION" +gemnasium-dependency_scanning: before_script: # git-lfs is needed for auto-remediation - apk add git-lfs @@ -123,56 +74,43 @@ dependency_scanning gemnasium: - apk add jq # Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390 - jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json + rules: !reference [".reports:rules:dependency_scanning", rules] -dependency_scanning bundler-audit: - extends: .dependency_scanning - image: - name: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION" +bundler-audit-dependency_scanning: + rules: !reference [".reports:rules:dependency_scanning", rules] -dependency_scanning retire-js: - extends: .dependency_scanning - image: - name: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION" +retire-js-dependency_scanning: + rules: !reference [".reports:rules:dependency_scanning", rules] -dependency_scanning gemnasium-python: - extends: .dependency_scanning - image: - name: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION" +gemnasium-python-dependency_scanning: + rules: !reference [".reports:rules:dependency_scanning", rules] # Analyze dependencies for malicious behavior # See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter package_hunter: extends: - - .reports:schedule-dast + - .default-retry + - .reports:rules:package_hunter stage: test image: name: registry.gitlab.com/gitlab-com/gl-security/security-research/package-hunter-cli:latest entrypoint: [""] needs: [] + allow_failure: true script: - rm -r spec locale .git app/assets/images doc/ - cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/ - DEBUG=* HTR_user=$PACKAGE_HUNTER_USER HTR_pass=$PACKAGE_HUNTER_PASS node /usr/src/app/cli.js analyze --format gitlab gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json artifacts: paths: - - gl-dependency-scanning-report.json # GitLab-specific + - gl-dependency-scanning-report.json reports: dependency_scanning: gl-dependency-scanning-report.json - expire_in: 1 week # GitLab-specific + expire_in: 1 week license_scanning: - extends: - - .default-retry - - .reports:rules:license_scanning - stage: test - image: - name: "registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3" - entrypoint: [""] + extends: .default-retry needs: [] - script: - - /run.sh analyze . artifacts: - reports: - license_scanning: gl-license-scanning-report.json expire_in: 1 week # GitLab-specific - dependencies: [] + rules: !reference [".reports:rules:license_scanning", rules] |