blob: c5481a19ae66c4fcba9ae071b4869dc42ea9918b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
include:
- template: Security/License-Scanning.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
variables:
SAST_EXCLUDED_ANALYZERS: "eslint"
# workflow rules are not extended by scanner jobs, need to override them manually
# TODO: remove when https://gitlab.com/gitlab-org/gitlab/-/issues/218444 is done
.rules-for-scanners: &rules-for-scanners
stage: prepare
needs: []
rules:
# For merge requests, create a pipeline.
- if: '$CI_MERGE_REQUEST_IID'
# For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.).
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
# For tags, create a pipeline.
- if: '$CI_COMMIT_TAG'
# For stable, and security branches, create a pipeline.
- if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/'
- if: '$CI_COMMIT_BRANCH =~ /^security\//'
license_scanning:
<<: *rules-for-scanners
gemnasium-dependency_scanning:
<<: *rules-for-scanners
gosec-sast:
<<: *rules-for-scanners
gemnasium-tools-dependency_scanning:
stage: prepare
image:
name: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
script:
- /analyzer run --target-dir ./tools
gemnasium-tools-license_scanning:
stage: prepare
image:
name: "$SECURE_ANALYZERS_PREFIX/license-finder:$LICENSE_MANAGEMENT_VERSION"
entrypoint: [""]
script:
- CI_PROJECT_DIR=$(pwd)/tools /run.sh analyze .
secret_detection:
stage: prepare
rules:
# For merge requests, create a pipeline.
- if: '$CI_MERGE_REQUEST_IID'
|
