diff options
author | Jaime Martinez <jmartinez@gitlab.com> | 2020-08-10 06:59:14 +0300 |
---|---|---|
committer | Jaime Martinez <jmartinez@gitlab.com> | 2020-08-24 02:35:50 +0300 |
commit | 69b756610687752929b98ee681495a99a199bb6c (patch) | |
tree | dd0ea56e088b37fb055109bd1f2d2ab867cf0606 /.gitlab | |
parent | 2498440a5ea75b1aff98213b0e4226d02e08b540 (diff) |
Add rules to each scanner job
Diffstat (limited to '.gitlab')
-rw-r--r-- | .gitlab/ci/prepare.yml | 55 |
1 files changed, 42 insertions, 13 deletions
diff --git a/.gitlab/ci/prepare.yml b/.gitlab/ci/prepare.yml index 33082984..2666d6ba 100644 --- a/.gitlab/ci/prepare.yml +++ b/.gitlab/ci/prepare.yml @@ -3,10 +3,13 @@ include: - template: Security/SAST.gitlab-ci.yml - template: Security/Dependency-Scanning.gitlab-ci.yml -# workflow rules are not extended by scanner jobs +# workflow rules are not extended by scanner jobs, need to override them manually # TODO: remove when https://gitlab.com/gitlab-org/gitlab/-/issues/218444 is done -.rules-for-scanners: + +license_scanning: stage: prepare + variables: + LICENSE_MANAGEMENT_SETUP_CMD: go mod vendor rules: # For merge requests, create a pipeline. - if: '$CI_MERGE_REQUEST_IID' @@ -18,24 +21,50 @@ include: - if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/' - if: '$CI_COMMIT_BRANCH =~ /^security\//' -license_scanning: - variables: - LICENSE_MANAGEMENT_SETUP_CMD: go mod vendor - extends: .rules-for-scanners dependency_scanning: - extends: .rules-for-scanners - -# disable eslint-sast since html files are fixtures for testing -eslint-sast: + stage: prepare rules: - - when: never + # For merge requests, create a pipeline. + - if: '$CI_MERGE_REQUEST_IID' + # For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.). + - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + # For tags, create a pipeline. + - if: '$CI_COMMIT_TAG' + # For stable, and security branches, create a pipeline. + - if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/' + - if: '$CI_COMMIT_BRANCH =~ /^security\//' secrets-sast: - extends: .rules-for-scanners + stage: prepare + rules: + # For merge requests, create a pipeline. + - if: '$CI_MERGE_REQUEST_IID' + # For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.). + - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + # For tags, create a pipeline. + - if: '$CI_COMMIT_TAG' + # For stable, and security branches, create a pipeline. + - if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/' + - if: '$CI_COMMIT_BRANCH =~ /^security\//' gosec-sast: - extends: .rules-for-scanners + stage: prepare + rules: + # For merge requests, create a pipeline. + - if: '$CI_MERGE_REQUEST_IID' + # For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.). + - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' + # For tags, create a pipeline. + - if: '$CI_COMMIT_TAG' + # For stable, and security branches, create a pipeline. + - if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/' + - if: '$CI_COMMIT_BRANCH =~ /^security\//' + +# disable eslint-sast since html files are fixtures for testing +eslint-sast: + rules: + - when: never download deps: extends: .go-mod-cache |