Commit 2074baed authored by Rémy Coutable's avatar Rémy Coutable

ci: Move 'allow_failure' from rules to jobs

Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent bf05abda
......@@ -45,6 +45,7 @@
reports:
dast: gl-dast-report.json
expire_in: 1 week # GitLab-specific
allow_failure: true
# DAST scan with a subset of Release scan rules.
DAST-fullscan-ruleset1:
......
......@@ -13,6 +13,7 @@ code_quality:
paths:
- gl-code-quality-report.json # GitLab-specific
rules: !reference [".reports:rules:code_quality", rules]
allow_failure: true
.sast-analyzer:
# We need to re-`extends` from `sast` as the `extends` here overrides the one from the template.
......@@ -31,12 +32,15 @@ code_quality:
brakeman-sast:
rules: !reference [".reports:rules:brakeman-sast", rules]
allow_failure: true
nodejs-scan-sast:
rules: !reference [".reports:rules:nodejs-scan-sast", rules]
allow_failure: true
semgrep-sast:
rules: !reference [".reports:rules:semgrep-sast", rules]
allow_failure: true
gosec-sast:
variables:
......@@ -53,6 +57,7 @@ gosec-sast:
paths:
- vendor/go
rules: !reference [".reports:rules:gosec-sast", rules]
allow_failure: true
.secret-analyzer:
extends: .default-retry
......@@ -64,6 +69,7 @@ gosec-sast:
secret_detection:
rules: !reference [".reports:rules:secret_detection", rules]
allow_failure: true
.ds-analyzer:
# We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template.
......@@ -88,15 +94,19 @@ gemnasium-dependency_scanning:
# Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390
- jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json
rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules]
allow_failure: true
bundler-audit-dependency_scanning:
rules: !reference [".reports:rules:bundler-audit-dependency_scanning", rules]
allow_failure: true
retire-js-dependency_scanning:
rules: !reference [".reports:rules:retire-js-dependency_scanning", rules]
allow_failure: true
gemnasium-python-dependency_scanning:
rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules]
allow_failure: true
# Analyze dependencies for malicious behavior
# See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
......@@ -144,3 +154,4 @@ license_scanning:
artifacts:
expire_in: 1 week # GitLab-specific
rules: !reference [".reports:rules:license_scanning", rules]
allow_failure: true
......@@ -1192,7 +1192,6 @@
when: never
- <<: *if-default-refs
changes: *code-backstage-patterns
allow_failure: true
.reports:rules:brakeman-sast:
rules:
......@@ -1203,7 +1202,6 @@
- changes:
- '**/*.rb'
- '**/Gemfile'
allow_failure: true
.reports:rules:nodejs-scan-sast:
rules:
......@@ -1213,7 +1211,6 @@
when: never
- changes:
- '**/package.json'
allow_failure: true
.reports:rules:gosec-sast:
rules:
......@@ -1223,7 +1220,6 @@
when: never
- changes:
- '**/*.go'
allow_failure: true
.reports:rules:semgrep-sast:
rules:
......@@ -1239,61 +1235,42 @@
- '**/*.tsx'
- '**/*.c'
- '**/*.go'
allow_failure: true
.reports:rules:secret_detection:
rules:
- if: '$SECRET_DETECTION_DISABLED'
when: never
- changes: *code-backstage-qa-patterns
allow_failure: true
.reports:rules:gemnasium-dependency_scanning:
rules:
- if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/ || $DS_DEFAULT_ANALYZERS !~ /gemnasium([^-]|$)/'
when: never
- changes: *dependency-patterns
allow_failure: true
.reports:rules:bundler-audit-dependency_scanning:
rules:
- if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/ || $DS_DEFAULT_ANALYZERS !~ /bundler-audit/'
when: never
- changes: *bundler-patterns
allow_failure: true
.reports:rules:retire-js-dependency_scanning:
rules:
- if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /retire.js/ || $DS_DEFAULT_ANALYZERS !~ /retire.js/'
when: never
- changes: *nodejs-patterns
allow_failure: true
.reports:rules:gemnasium-python-dependency_scanning:
rules:
- if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/ || $DS_DEFAULT_ANALYZERS !~ /gemnasium-python/'
when: never
- changes: *python-patterns
allow_failure: true
.reports:rules:dast:
rules:
- if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
when: never
- <<: *if-dot-com-gitlab-org-merge-request
changes: *frontend-patterns
allow_failure: true
- <<: *if-dot-com-gitlab-org-merge-request
changes: *code-qa-patterns
when: manual
allow_failure: true
.reports:rules:schedule-dast:
rules:
- if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
when: never
- <<: *if-dot-com-ee-nightly-schedule
allow_failure: true
.reports:rules:package_hunter-yarn:
rules:
......@@ -1316,7 +1293,6 @@
- if: '$LICENSE_MANAGEMENT_DISABLED || $GITLAB_FEATURES !~ /\blicense_scanning\b/'
when: never
- changes: *code-backstage-qa-patterns
allow_failure: true
################
# Review rules #
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment