Commit 1ed313c6 authored by Mayra Cabrera's avatar Mayra Cabrera

Merge branch '220540-drop-ds-sast-dind' into 'master'

Drop DinD for SAST, DS

See merge request gitlab-org/gitlab!41260
parents 5bdbf365 c4cff21e
---
title: Drop Docker-in-Docker mode for SAST and Dependency Scanning
merge_request: 41260
author:
type: removed
...@@ -33,16 +33,6 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do ...@@ -33,16 +33,6 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do
allow(License).to receive(:current).and_return(license) allow(License).to receive(:current).and_return(license)
end end
context 'when DS_DISABLE_DIND=false' do
before do
create(:ci_variable, project: project, key: 'DS_DISABLE_DIND', value: 'false')
end
it 'includes orchestrator job' do
expect(build_names).to match_array(%w[dependency_scanning])
end
end
context 'when DEPENDENCY_SCANNING_DISABLED=1' do context 'when DEPENDENCY_SCANNING_DISABLED=1' do
before do before do
create(:ci_variable, project: project, key: 'DEPENDENCY_SCANNING_DISABLED', value: '1') create(:ci_variable, project: project, key: 'DEPENDENCY_SCANNING_DISABLED', value: '1')
......
...@@ -73,23 +73,5 @@ RSpec.describe 'SAST.gitlab-ci.yml' do ...@@ -73,23 +73,5 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
end end
end end
end end
context 'when project has Ultimate license' do
let(:license) { create(:license, plan: License::ULTIMATE_PLAN) }
before do
allow(License).to receive(:current).and_return(license)
end
context 'when SAST_DISABLE_DIND=false' do
before do
create(:ci_variable, project: project, key: 'SAST_DISABLE_DIND', value: 'false')
end
it 'includes orchestrator job' do
expect(build_names).to match_array(%w[sast])
end
end
end
end end
end end
...@@ -12,81 +12,24 @@ variables: ...@@ -12,81 +12,24 @@ variables:
DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python" DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
DS_EXCLUDED_PATHS: "spec, test, tests, tmp" DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
DS_MAJOR_VERSION: 2 DS_MAJOR_VERSION: 2
DS_DISABLE_DIND: "true"
dependency_scanning: dependency_scanning:
stage: test stage: test
image: docker:stable
variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
allow_failure: true
services:
- docker:stable-dind
script: script:
- | - echo "$CI_JOB_NAME is used for configuration only, and its script should not be executed"
if ! docker info &>/dev/null; then - exit 1
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
export DOCKER_HOST='tcp://localhost:2375'
fi
fi
- | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
function propagate_env_vars() {
CURRENT_ENV=$(printenv)
for VAR_NAME; do
echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
done
}
- |
docker run \
$(propagate_env_vars \
DS_ANALYZER_IMAGES \
SECURE_ANALYZERS_PREFIX \
DS_ANALYZER_IMAGE_TAG \
DS_DEFAULT_ANALYZERS \
DS_EXCLUDED_PATHS \
DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
DS_PULL_ANALYZER_IMAGE_TIMEOUT \
DS_RUN_ANALYZER_TIMEOUT \
DS_PYTHON_VERSION \
DS_PIP_VERSION \
DS_PIP_DEPENDENCY_PATH \
DS_JAVA_VERSION \
GEMNASIUM_DB_LOCAL_PATH \
GEMNASIUM_DB_REMOTE_URL \
GEMNASIUM_DB_REF_NAME \
PIP_INDEX_URL \
PIP_EXTRA_INDEX_URL \
PIP_REQUIREMENTS_FILE \
MAVEN_CLI_OPTS \
GRADLE_CLI_OPTS \
SBT_CLI_OPTS \
BUNDLER_AUDIT_UPDATE_DISABLED \
BUNDLER_AUDIT_ADVISORY_DB_URL \
BUNDLER_AUDIT_ADVISORY_DB_REF_NAME \
RETIREJS_JS_ADVISORY_DB \
RETIREJS_NODE_ADVISORY_DB \
DS_REMEDIATE \
) \
--volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \
"registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_MAJOR_VERSION" /code
artifacts: artifacts:
reports: reports:
dependency_scanning: gl-dependency-scanning-report.json dependency_scanning: gl-dependency-scanning-report.json
dependencies: [] dependencies: []
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'true' - when: never
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/
.ds-analyzer: .ds-analyzer:
extends: dependency_scanning extends: dependency_scanning
services: [] allow_failure: true
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false' - if: $DEPENDENCY_SCANNING_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ $GITLAB_FEATURES =~ /\bdependency_scanning\b/
...@@ -100,7 +43,7 @@ gemnasium-dependency_scanning: ...@@ -100,7 +43,7 @@ gemnasium-dependency_scanning:
variables: variables:
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION" DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false' - if: $DEPENDENCY_SCANNING_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ && $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
...@@ -123,7 +66,7 @@ gemnasium-maven-dependency_scanning: ...@@ -123,7 +66,7 @@ gemnasium-maven-dependency_scanning:
variables: variables:
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION" DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false' - if: $DEPENDENCY_SCANNING_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ && $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
...@@ -141,7 +84,7 @@ gemnasium-python-dependency_scanning: ...@@ -141,7 +84,7 @@ gemnasium-python-dependency_scanning:
variables: variables:
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION" DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false' - if: $DEPENDENCY_SCANNING_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ && $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
...@@ -166,7 +109,7 @@ bundler-audit-dependency_scanning: ...@@ -166,7 +109,7 @@ bundler-audit-dependency_scanning:
variables: variables:
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION" DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false' - if: $DEPENDENCY_SCANNING_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ && $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
...@@ -181,7 +124,7 @@ retire-js-dependency_scanning: ...@@ -181,7 +124,7 @@ retire-js-dependency_scanning:
variables: variables:
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION" DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED || $DS_DISABLE_DIND == 'false' - if: $DEPENDENCY_SCANNING_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ && $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
......
...@@ -12,45 +12,26 @@ variables: ...@@ -12,45 +12,26 @@ variables:
SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, sobelow, pmd-apex, kubesec" SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, sobelow, pmd-apex, kubesec"
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
SAST_ANALYZER_IMAGE_TAG: 2 SAST_ANALYZER_IMAGE_TAG: 2
SAST_DISABLE_DIND: "true"
SCAN_KUBERNETES_MANIFESTS: "false" SCAN_KUBERNETES_MANIFESTS: "false"
sast: sast:
stage: test stage: test
allow_failure: true
artifacts: artifacts:
reports: reports:
sast: gl-sast-report.json sast: gl-sast-report.json
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'true' - when: never
when: never
- if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast\b/
image: docker:stable
variables: variables:
SEARCH_MAX_DEPTH: 4 SEARCH_MAX_DEPTH: 4
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
services:
- docker:stable-dind
script: script:
- | - echo "$CI_JOB_NAME is used for configuration only, and its script should not be executed"
if ! docker info &>/dev/null; then - exit 1
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
export DOCKER_HOST='tcp://localhost:2375'
fi
fi
- |
docker run \
$(awk 'BEGIN{for(v in ENVIRON) print v}' | grep -v -E '^(DOCKER_|CI|GITLAB_|FF_|HOME|PWD|OLDPWD|PATH|SHLVL|HOSTNAME)' | awk '{printf " -e %s", $0}') \
--volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_ANALYZER_IMAGE_TAG" /app/bin/run /code
.sast-analyzer: .sast-analyzer:
extends: sast extends: sast
services: [] allow_failure: true
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
script: script:
...@@ -63,7 +44,7 @@ bandit-sast: ...@@ -63,7 +44,7 @@ bandit-sast:
variables: variables:
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /bandit/ $SAST_DEFAULT_ANALYZERS =~ /bandit/
...@@ -77,7 +58,7 @@ brakeman-sast: ...@@ -77,7 +58,7 @@ brakeman-sast:
variables: variables:
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /brakeman/ $SAST_DEFAULT_ANALYZERS =~ /brakeman/
...@@ -91,7 +72,7 @@ eslint-sast: ...@@ -91,7 +72,7 @@ eslint-sast:
variables: variables:
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /eslint/ $SAST_DEFAULT_ANALYZERS =~ /eslint/
...@@ -109,7 +90,7 @@ flawfinder-sast: ...@@ -109,7 +90,7 @@ flawfinder-sast:
variables: variables:
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /flawfinder/ $SAST_DEFAULT_ANALYZERS =~ /flawfinder/
...@@ -124,7 +105,7 @@ kubesec-sast: ...@@ -124,7 +105,7 @@ kubesec-sast:
variables: variables:
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /kubesec/ && $SAST_DEFAULT_ANALYZERS =~ /kubesec/ &&
...@@ -137,7 +118,7 @@ gosec-sast: ...@@ -137,7 +118,7 @@ gosec-sast:
variables: variables:
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /gosec/ $SAST_DEFAULT_ANALYZERS =~ /gosec/
...@@ -151,7 +132,7 @@ nodejs-scan-sast: ...@@ -151,7 +132,7 @@ nodejs-scan-sast:
variables: variables:
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/ $SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/
...@@ -165,7 +146,7 @@ phpcs-security-audit-sast: ...@@ -165,7 +146,7 @@ phpcs-security-audit-sast:
variables: variables:
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/ $SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/
...@@ -179,7 +160,7 @@ pmd-apex-sast: ...@@ -179,7 +160,7 @@ pmd-apex-sast:
variables: variables:
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /pmd-apex/ $SAST_DEFAULT_ANALYZERS =~ /pmd-apex/
...@@ -193,7 +174,7 @@ security-code-scan-sast: ...@@ -193,7 +174,7 @@ security-code-scan-sast:
variables: variables:
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /security-code-scan/ $SAST_DEFAULT_ANALYZERS =~ /security-code-scan/
...@@ -208,7 +189,7 @@ sobelow-sast: ...@@ -208,7 +189,7 @@ sobelow-sast:
variables: variables:
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /sobelow/ $SAST_DEFAULT_ANALYZERS =~ /sobelow/
...@@ -222,7 +203,7 @@ spotbugs-sast: ...@@ -222,7 +203,7 @@ spotbugs-sast:
variables: variables:
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false' - if: $SAST_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /spotbugs/ $SAST_DEFAULT_ANALYZERS =~ /spotbugs/
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment