blob: 8da85785e97f964aee42dc82ddf06b86f94b2af2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
#include:
# - template: Code-Quality.gitlab-ci.yml
#
#code_quality:
# extends: .dedicated-no-docs-no-db-pull-cache-job
# # gitlab-org runners set `privileged: false` but we need to have it set to true
# # since we're using Docker in Docker
# tags: []
# before_script: []
# cache: {}
# dependencies: []
# variables:
# SETUP_DB: "false"
sast:
extends: .dedicated-no-docs-no-db-pull-cache-job
image: docker:stable
variables:
SAST_CONFIDENCE_LEVEL: 2
DOCKER_DRIVER: overlay2
SAST_DEFAULT_ANALYZERS: bandit,brakeman,gosec,spotbugs,flawfinder,phpcs-security-audit,security-code-scan,nodejs-scan,eslint,tslint,sobelow
SAST_ANALYZER_IMAGES: registry.gitlab.com/gitlab-org/security-products/analyzers/secrets:60879-add-logging-for-timeout-test
allow_failure: true
tags: []
before_script: []
cache: {}
dependencies: []
services:
- docker:stable-dind
script:
- | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
function propagate_env_vars() {
CURRENT_ENV=$(printenv)
for VAR_NAME; do
echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
done
}
- export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
- |
docker run \
$(propagate_env_vars \
SAST_ANALYZER_IMAGES \
SAST_ANALYZER_IMAGE_PREFIX \
SAST_ANALYZER_IMAGE_TAG \
SAST_DEFAULT_ANALYZERS \
SAST_BRAKEMAN_LEVEL \
SAST_GOSEC_LEVEL \
SAST_FLAWFINDER_LEVEL \
SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
SAST_PULL_ANALYZER_IMAGE_TIMEOUT \
SAST_RUN_ANALYZER_TIMEOUT \
) \
--volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \
"registry.gitlab.com/gitlab-org/security-products/sast:60879-test-analyzer-run-timeout" /app/bin/run /code
artifacts:
reports:
sast: gl-sast-report.json
#dependency_scanning:
# extends: .dedicated-no-docs-no-db-pull-cache-job
# image: docker:stable
# variables:
# DOCKER_DRIVER: overlay2
# allow_failure: true
# tags: []
# before_script: []
# cache: {}
# dependencies: []
# services:
# - docker:stable-dind
# script:
# - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
# - | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
# function propagate_env_vars() {
# CURRENT_ENV=$(printenv)
#
# for VAR_NAME; do
# echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
# done
# }
# - |
# docker run \
# $(propagate_env_vars \
# DS_ANALYZER_IMAGES \
# DS_ANALYZER_IMAGE_PREFIX \
# DS_ANALYZER_IMAGE_TAG \
# DS_DEFAULT_ANALYZERS \
# DEP_SCAN_DISABLE_REMOTE_CHECKS \
# DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
# DS_PULL_ANALYZER_IMAGE_TIMEOUT \
# DS_RUN_ANALYZER_TIMEOUT \
# ) \
# --volume "$PWD:/code" \
# --volume /var/run/docker.sock:/var/run/docker.sock \
# "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
# artifacts:
# reports:
# dependency_scanning: gl-dependency-scanning-report.json
|