1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
include:
- template: Security/License-Scanning.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
variables:
SAST_EXCLUDED_ANALYZERS: "brakeman,eslint,gosec"
# workflow rules are not extended by scanner jobs, need to override them manually
# TODO: remove when https://gitlab.com/gitlab-org/gitlab/-/issues/218444 is done
.rules-for-scanners: &rules-for-scanners
stage: prepare
needs: []
rules:
# For merge requests, create a pipeline.
- if: '$CI_MERGE_REQUEST_IID'
# For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.).
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
# For tags, create a pipeline.
- if: '$CI_COMMIT_TAG'
# For stable, and security branches, create a pipeline.
- if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/'
- if: '$CI_COMMIT_BRANCH =~ /^security\//'
.rules-for-dependency-scanners: &rules-for-dependency-scanners
stage: prepare
needs: []
rules:
# For merge requests, create a pipeline.
- if: '$CI_MERGE_REQUEST_IID'
changes:
- go.mod
# For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.).
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
# For tags, create a pipeline.
- if: '$CI_COMMIT_TAG'
# For stable, and security branches, create a pipeline.
- if: '$CI_COMMIT_BRANCH =~ /^[\d-]+-stable(-ee)?$/'
- if: '$CI_COMMIT_BRANCH =~ /^security\//'
license_scanning:
<<: *rules-for-dependency-scanners
gemnasium-dependency_scanning:
<<: *rules-for-dependency-scanners
semgrep-sast:
<<: *rules-for-scanners
secret_detection:
stage: prepare
rules:
# For merge requests, create a pipeline.
- if: '$CI_MERGE_REQUEST_IID'
|