1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
include:
- template: Jobs/Code-Quality.gitlab-ci.yml
- template: Jobs/SAST.gitlab-ci.yml
- template: Jobs/Secret-Detection.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/License-Scanning.gitlab-ci.yml
code_quality:
extends:
- .default-retry
- .use-docker-in-docker
artifacts:
paths:
- gl-code-quality-report.json # GitLab-specific
rules: !reference [".reports:rules:code_quality", rules]
allow_failure: true
.sast-analyzer:
# We need to re-`extends` from `sast` as the `extends` here overrides the one from the template.
extends:
- .default-retry
- sast
needs: []
artifacts:
paths:
- gl-sast-report.json # GitLab-specific
expire_in: 1 week # GitLab-specific
variables:
SAST_BRAKEMAN_LEVEL: 2 # GitLab-specific
SAST_EXCLUDED_PATHS: "qa, spec, doc, ee/spec, config/gitlab.yml.example, tmp" # GitLab-specific
SAST_EXCLUDED_ANALYZERS: bandit, flawfinder, phpcs-security-audit, pmd-apex, security-code-scan, spotbugs, eslint
brakeman-sast:
rules: !reference [".reports:rules:brakeman-sast", rules]
allow_failure: true
nodejs-scan-sast:
rules: !reference [".reports:rules:nodejs-scan-sast", rules]
allow_failure: true
semgrep-sast:
rules: !reference [".reports:rules:semgrep-sast", rules]
allow_failure: true
gosec-sast:
variables:
GOPATH: "$CI_PROJECT_DIR/vendor/go"
COMPILE: "false"
GOSEC_GO_PKG_PATH: "$CI_PROJECT_DIR"
SECURE_LOG_LEVEL: "debug"
before_script:
- mkdir -p $GOPATH
- cd workhorse
- go get -d ./...
- cd ..
cache:
paths:
- vendor/go
rules: !reference [".reports:rules:gosec-sast", rules]
allow_failure: true
.secret-analyzer:
extends: .default-retry
needs: []
artifacts:
paths:
- gl-secret-detection-report.json # GitLab-specific
expire_in: 1 week # GitLab-specific
secret_detection:
rules: !reference [".reports:rules:secret_detection", rules]
allow_failure: true
.ds-analyzer:
# We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template.
extends:
- .default-retry
- dependency_scanning
needs: []
variables:
DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp" # GitLab-specific
artifacts:
paths:
- gl-dependency-scanning-report.json # GitLab-specific
expire_in: 1 week # GitLab-specific
gemnasium-dependency_scanning:
before_script:
# git-lfs is needed for auto-remediation
- apk add git-lfs
after_script:
# Post-processing
- apk add jq
# Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390
- jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json
rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules]
allow_failure: true
bundler-audit-dependency_scanning:
rules: !reference [".reports:rules:bundler-audit-dependency_scanning", rules]
allow_failure: true
retire-js-dependency_scanning:
rules: !reference [".reports:rules:retire-js-dependency_scanning", rules]
allow_failure: true
gemnasium-python-dependency_scanning:
rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules]
allow_failure: true
# Analyze dependencies for malicious behavior
# See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
.package_hunter-base:
extends: .default-retry
stage: test
image:
name: registry.gitlab.com/gitlab-com/gl-security/security-research/package-hunter-cli:1.1.0
entrypoint: [""]
variables:
DEBUG: '*'
HTR_user: '$PACKAGE_HUNTER_USER'
HTR_pass: '$PACKAGE_HUNTER_PASS'
needs: []
allow_failure: true
before_script:
- rm -r spec locale .git app/assets/images doc/
- cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/
script:
- node /usr/src/app/cli.js analyze --format gitlab --manager ${PACKAGE_MANAGER} gitlab.tgz | tee ${CI_PROJECT_DIR}/gl-dependency-scanning-report.json
artifacts:
paths:
- gl-dependency-scanning-report.json
reports:
dependency_scanning: gl-dependency-scanning-report.json
expire_in: 1 week
package_hunter-yarn:
extends:
- .package_hunter-base
- .reports:rules:package_hunter-yarn
variables:
PACKAGE_MANAGER: yarn
package_hunter-bundler:
extends:
- .package_hunter-base
- .reports:rules:package_hunter-bundler
variables:
PACKAGE_MANAGER: bundler
license_scanning:
extends: .default-retry
needs: []
artifacts:
expire_in: 1 week # GitLab-specific
rules: !reference [".reports:rules:license_scanning", rules]
allow_failure: true
|
