Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
2074baed
Commit
2074baed
authored
Oct 04, 2021
by
Rémy Coutable
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
ci: Move 'allow_failure' from rules to jobs
Signed-off-by:
Rémy Coutable
<
remy@rymai.me
>
parent
bf05abda
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
12 additions
and
24 deletions
+12
-24
.gitlab/ci/dast.gitlab-ci.yml
.gitlab/ci/dast.gitlab-ci.yml
+1
-0
.gitlab/ci/reports.gitlab-ci.yml
.gitlab/ci/reports.gitlab-ci.yml
+11
-0
.gitlab/ci/rules.gitlab-ci.yml
.gitlab/ci/rules.gitlab-ci.yml
+0
-24
No files found.
.gitlab/ci/dast.gitlab-ci.yml
View file @
2074baed
...
...
@@ -45,6 +45,7 @@
reports
:
dast
:
gl-dast-report.json
expire_in
:
1 week
# GitLab-specific
allow_failure
:
true
# DAST scan with a subset of Release scan rules.
DAST-fullscan-ruleset1
:
...
...
.gitlab/ci/reports.gitlab-ci.yml
View file @
2074baed
...
...
@@ -13,6 +13,7 @@ code_quality:
paths
:
-
gl-code-quality-report.json
# GitLab-specific
rules
:
!reference
[
"
.reports:rules:code_quality"
,
rules
]
allow_failure
:
true
.sast-analyzer
:
# We need to re-`extends` from `sast` as the `extends` here overrides the one from the template.
...
...
@@ -31,12 +32,15 @@ code_quality:
brakeman-sast
:
rules
:
!reference
[
"
.reports:rules:brakeman-sast"
,
rules
]
allow_failure
:
true
nodejs-scan-sast
:
rules
:
!reference
[
"
.reports:rules:nodejs-scan-sast"
,
rules
]
allow_failure
:
true
semgrep-sast
:
rules
:
!reference
[
"
.reports:rules:semgrep-sast"
,
rules
]
allow_failure
:
true
gosec-sast
:
variables
:
...
...
@@ -53,6 +57,7 @@ gosec-sast:
paths
:
-
vendor/go
rules
:
!reference
[
"
.reports:rules:gosec-sast"
,
rules
]
allow_failure
:
true
.secret-analyzer
:
extends
:
.default-retry
...
...
@@ -64,6 +69,7 @@ gosec-sast:
secret_detection
:
rules
:
!reference
[
"
.reports:rules:secret_detection"
,
rules
]
allow_failure
:
true
.ds-analyzer
:
# We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template.
...
...
@@ -88,15 +94,19 @@ gemnasium-dependency_scanning:
# Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390
-
jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json
rules
:
!reference
[
"
.reports:rules:gemnasium-dependency_scanning"
,
rules
]
allow_failure
:
true
bundler-audit-dependency_scanning
:
rules
:
!reference
[
"
.reports:rules:bundler-audit-dependency_scanning"
,
rules
]
allow_failure
:
true
retire-js-dependency_scanning
:
rules
:
!reference
[
"
.reports:rules:retire-js-dependency_scanning"
,
rules
]
allow_failure
:
true
gemnasium-python-dependency_scanning
:
rules
:
!reference
[
"
.reports:rules:gemnasium-python-dependency_scanning"
,
rules
]
allow_failure
:
true
# Analyze dependencies for malicious behavior
# See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
...
...
@@ -144,3 +154,4 @@ license_scanning:
artifacts
:
expire_in
:
1 week
# GitLab-specific
rules
:
!reference
[
"
.reports:rules:license_scanning"
,
rules
]
allow_failure
:
true
.gitlab/ci/rules.gitlab-ci.yml
View file @
2074baed
...
...
@@ -1192,7 +1192,6 @@
when
:
never
-
<<
:
*if-default-refs
changes
:
*code-backstage-patterns
allow_failure
:
true
.reports:rules:brakeman-sast:
rules
:
...
...
@@ -1203,7 +1202,6 @@
-
changes
:
-
'
**/*.rb'
-
'
**/Gemfile'
allow_failure
:
true
.reports:rules:nodejs-scan-sast:
rules
:
...
...
@@ -1213,7 +1211,6 @@
when
:
never
-
changes
:
-
'
**/package.json'
allow_failure
:
true
.reports:rules:gosec-sast:
rules
:
...
...
@@ -1223,7 +1220,6 @@
when
:
never
-
changes
:
-
'
**/*.go'
allow_failure
:
true
.reports:rules:semgrep-sast:
rules
:
...
...
@@ -1239,61 +1235,42 @@
-
'
**/*.tsx'
-
'
**/*.c'
-
'
**/*.go'
allow_failure
:
true
.reports:rules:secret_detection:
rules
:
-
if
:
'
$SECRET_DETECTION_DISABLED'
when
:
never
-
changes
:
*code-backstage-qa-patterns
allow_failure
:
true
.reports:rules:gemnasium-dependency_scanning:
rules
:
-
if
:
'
$DEPENDENCY_SCANNING_DISABLED
||
$GITLAB_FEATURES
!~
/\bdependency_scanning\b/
||
$DS_EXCLUDED_ANALYZERS
=~
/gemnasium([^-]|$)/
||
$DS_DEFAULT_ANALYZERS
!~
/gemnasium([^-]|$)/'
when
:
never
-
changes
:
*dependency-patterns
allow_failure
:
true
.reports:rules:bundler-audit-dependency_scanning:
rules
:
-
if
:
'
$DEPENDENCY_SCANNING_DISABLED
||
$GITLAB_FEATURES
!~
/\bdependency_scanning\b/
||
$DS_EXCLUDED_ANALYZERS
=~
/bundler-audit/
||
$DS_DEFAULT_ANALYZERS
!~
/bundler-audit/'
when
:
never
-
changes
:
*bundler-patterns
allow_failure
:
true
.reports:rules:retire-js-dependency_scanning:
rules
:
-
if
:
'
$DEPENDENCY_SCANNING_DISABLED
||
$GITLAB_FEATURES
!~
/\bdependency_scanning\b/
||
$DS_EXCLUDED_ANALYZERS
=~
/retire.js/
||
$DS_DEFAULT_ANALYZERS
!~
/retire.js/'
when
:
never
-
changes
:
*nodejs-patterns
allow_failure
:
true
.reports:rules:gemnasium-python-dependency_scanning:
rules
:
-
if
:
'
$DEPENDENCY_SCANNING_DISABLED
||
$GITLAB_FEATURES
!~
/\bdependency_scanning\b/
||
$DS_EXCLUDED_ANALYZERS
=~
/gemnasium-python/
||
$DS_DEFAULT_ANALYZERS
!~
/gemnasium-python/'
when
:
never
-
changes
:
*python-patterns
allow_failure
:
true
.reports:rules:dast:
rules
:
-
if
:
'
$DAST_DISABLED
||
$GITLAB_FEATURES
!~
/\bdast\b/'
when
:
never
-
<<
:
*if-dot-com-gitlab-org-merge-request
changes
:
*frontend-patterns
allow_failure
:
true
-
<<
:
*if-dot-com-gitlab-org-merge-request
changes
:
*code-qa-patterns
when
:
manual
allow_failure
:
true
.reports:rules:schedule-dast:
rules
:
-
if
:
'
$DAST_DISABLED
||
$GITLAB_FEATURES
!~
/\bdast\b/'
when
:
never
-
<<
:
*if-dot-com-ee-nightly-schedule
allow_failure
:
true
.reports:rules:package_hunter-yarn:
rules
:
...
...
@@ -1316,7 +1293,6 @@
-
if
:
'
$LICENSE_MANAGEMENT_DISABLED
||
$GITLAB_FEATURES
!~
/\blicense_scanning\b/'
when
:
never
-
changes
:
*code-backstage-qa-patterns
allow_failure
:
true
################
# Review rules #
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment