diff options
Diffstat (limited to 'lib/gitlab/ci')
-rw-r--r-- | lib/gitlab/ci/config/entry/job.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/ci/config/entry/root.rb | 4 | ||||
-rw-r--r-- | lib/gitlab/ci/templates/Android-Fastlane.gitlab-ci.yml | 2 | ||||
-rw-r--r-- | lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml | 20 | ||||
-rw-r--r-- | lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml | 138 | ||||
-rw-r--r-- | lib/gitlab/ci/trace.rb | 2 |
6 files changed, 142 insertions, 26 deletions
diff --git a/lib/gitlab/ci/config/entry/job.rb b/lib/gitlab/ci/config/entry/job.rb index 5874b01ef2a..07d5be86b1e 100644 --- a/lib/gitlab/ci/config/entry/job.rb +++ b/lib/gitlab/ci/config/entry/job.rb @@ -149,7 +149,7 @@ module Gitlab @entries.delete(:type) # This is something of a hack, see issue for details: - # https://gitlab.com/gitlab-org/gitlab-ce/issues/67150 + # https://gitlab.com/gitlab-org/gitlab-foss/issues/67150 if !only_defined? && has_rules? @entries.delete(:only) @entries.delete(:except) diff --git a/lib/gitlab/ci/config/entry/root.rb b/lib/gitlab/ci/config/entry/root.rb index 0589ad3edf9..07022ff7b54 100644 --- a/lib/gitlab/ci/config/entry/root.rb +++ b/lib/gitlab/ci/config/entry/root.rb @@ -132,12 +132,12 @@ module Gitlab return unless @config.is_a?(Hash) @jobs_config = @config - .except(*self.class.reserved_nodes_names) # rubocop: disable CodeReuse/ActiveRecord + .except(*self.class.reserved_nodes_names) .select do |name, config| Entry::Jobs.find_type(name, config).present? end - @config = @config.except(*@jobs_config.keys) # rubocop: disable CodeReuse/ActiveRecord + @config = @config.except(*@jobs_config.keys) end end end diff --git a/lib/gitlab/ci/templates/Android-Fastlane.gitlab-ci.yml b/lib/gitlab/ci/templates/Android-Fastlane.gitlab-ci.yml index 2ca6e73a803..be584814271 100644 --- a/lib/gitlab/ci/templates/Android-Fastlane.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Android-Fastlane.gitlab-ci.yml @@ -37,7 +37,7 @@ ensureContainer: - "mkdir -p ~/.docker && echo '{\"experimental\": \"enabled\"}' > ~/.docker/config.json" - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY # Skip update container `script` if the container already exists - # via https://gitlab.com/gitlab-org/gitlab-ce/issues/26866#note_97609397 -> https://stackoverflow.com/a/52077071/796832 + # via https://gitlab.com/gitlab-org/gitlab-foss/issues/26866#note_97609397 -> https://stackoverflow.com/a/52077071/796832 - docker manifest inspect $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG > /dev/null && exit || true diff --git a/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml b/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml index f704266b73d..1ad9dd2913e 100644 --- a/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml @@ -73,16 +73,16 @@ stages: - cleanup include: - - template: Jobs/Build.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml - - template: Jobs/Test.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Jobs/Test.gitlab-ci.yml - - template: Jobs/Code-Quality.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml - - template: Jobs/Deploy.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml - - template: Jobs/Browser-Performance-Testing.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Jobs/Browser-Performance-Testing.gitlab-ci.yml - - template: Security/DAST.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml - - template: Security/Container-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml - - template: Security/Dependency-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml - - template: Security/License-Management.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Security/License-Management.gitlab-ci.yml - - template: Security/SAST.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml + - template: Jobs/Build.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml + - template: Jobs/Test.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Jobs/Test.gitlab-ci.yml + - template: Jobs/Code-Quality.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml + - template: Jobs/Deploy.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml + - template: Jobs/Browser-Performance-Testing.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Jobs/Browser-Performance-Testing.gitlab-ci.yml + - template: Security/DAST.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml + - template: Security/Container-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml + - template: Security/Dependency-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml + - template: Security/License-Management.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/License-Management.gitlab-ci.yml + - template: Security/SAST.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml # Override DAST job to exclude master branch dast: diff --git a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml index a61731a24b7..88f4b72044c 100644 --- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml @@ -4,13 +4,28 @@ # List of the variables: https://gitlab.com/gitlab-org/security-products/sast#settings # How to set: https://docs.gitlab.com/ee/ci/yaml/#variables -sast: +.sast: stage: test + allow_failure: true + artifacts: + reports: + sast: gl-sast-report.json + only: + refs: + - branches + variables: + - $GITLAB_FEATURES =~ /\bsast\b/ + +variables: + SAST_ANALYZER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers" + SAST_DISABLE_DIND: "false" + +sast: + extends: .sast image: docker:stable variables: DOCKER_DRIVER: overlay2 DOCKER_TLS_CERTDIR: "" - allow_failure: true services: - docker:stable-dind script: @@ -63,15 +78,116 @@ sast: --volume "$PWD:/code" \ --volume /var/run/docker.sock:/var/run/docker.sock \ "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code - artifacts: - reports: - sast: gl-sast-report.json - dependencies: [] - only: - refs: - - branches - variables: - - $GITLAB_FEATURES =~ /\bsast\b/ except: variables: - $SAST_DISABLED + - $SAST_DISABLE_DIND == 'true' + +.analyzer: + extends: .sast + except: + variables: + - $SAST_DISABLE_DIND == 'false' + script: + - /analyzer run + +bandit-sast: + extends: .analyzer + image: + name: "$SAST_ANALYZER_IMAGE_PREFIX/bandit" + only: + variables: + - '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /python/' + +brakeman-sast: + extends: .analyzer + image: + name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman" + only: + variables: + - '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /ruby/' + +eslint-sast: + extends: .analyzer + image: + name: "$SAST_ANALYZER_IMAGE_PREFIX/eslint" + only: + variables: + - '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/' + +flawfinder-sast: + extends: .analyzer + image: + name: "$SAST_ANALYZER_IMAGE_PREFIX/flawfinder" + only: + variables: + - '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(c\+\+|c\b)/' + +gosec-sast: + extends: .analyzer + image: + name: "$SAST_ANALYZER_IMAGE_PREFIX/gosec" + only: + variables: + - '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /go/' + +nodejs-scan-sast: + extends: .analyzer + image: + name: "$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan" + only: + variables: + - '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /javascript/' + +phpcs-security-audit-sast: + extends: .analyzer + image: + name: "$SAST_ANALYZER_IMAGE_PREFIX/phpcs-security-audit" + only: + variables: + - '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /php/' + +pmd-apex-sast: + extends: .analyzer + image: + name: "$SAST_ANALYZER_IMAGE_PREFIX/pmd-apex" + only: + variables: + - '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /apex/' + +secrets-sast: + extends: .analyzer + image: + name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets" + +security-code-scan-sast: + extends: .analyzer + image: + name: "$SAST_ANALYZER_IMAGE_PREFIX/security-code-scan" + only: + variables: + - '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /c\#/ || $CI_PROJECT_REPOSITORY_LANGUAGES =~ /visual basic/' + +sobelow-sast: + extends: .analyzer + image: + name: "$SAST_ANALYZER_IMAGE_PREFIX/sobelow" + only: + variables: + - '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /elixir/' + +spotbugs-sast: + extends: .analyzer + image: + name: "$SAST_ANALYZER_IMAGE_PREFIX/spotbugs" + only: + variables: + - '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /java\b/' + +tslint-sast: + extends: .analyzer + image: + name: "$SAST_ANALYZER_IMAGE_PREFIX/tslint" + only: + variables: + - '$CI_PROJECT_REPOSITORY_LANGUAGES =~ /typescript/' diff --git a/lib/gitlab/ci/trace.rb b/lib/gitlab/ci/trace.rb index 9550bc6d39c..5b8c2d2f7c7 100644 --- a/lib/gitlab/ci/trace.rb +++ b/lib/gitlab/ci/trace.rb @@ -188,7 +188,7 @@ module Gitlab def create_build_trace!(job, path) File.open(path) do |stream| # TODO: Set `file_format: :raw` after we've cleaned up legacy traces migration - # https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/20307 + # https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/20307 job.create_job_artifacts_trace!( project: job.project, file_type: :trace, |