Commit 39518e8d authored by Rémy Coutable's avatar Rémy Coutable

Merge branch 'e2300-sast-template' into 'master'

Migrate SAST CI template to rules syntax

See merge request gitlab-org/gitlab!31127
parents 47ed79de a9e72d97
---
title: Migrate SAST CI template to rules syntax
merge_request: 31127
author:
type: changed
...@@ -8,7 +8,8 @@ describe 'SAST.gitlab-ci.yml' do ...@@ -8,7 +8,8 @@ describe 'SAST.gitlab-ci.yml' do
describe 'the created pipeline' do describe 'the created pipeline' do
let(:user) { create(:admin) } let(:user) { create(:admin) }
let(:default_branch) { 'master' } let(:default_branch) { 'master' }
let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) } let(:files) { { 'README.txt' => '' } }
let(:project) { create(:project, :custom_repo, files: files) }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) } let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
let(:pipeline) { service.execute!(:push) } let(:pipeline) { service.execute!(:push) }
let(:build_names) { pipeline.builds.pluck(:name) } let(:build_names) { pipeline.builds.pluck(:name) }
...@@ -48,33 +49,34 @@ describe 'SAST.gitlab-ci.yml' do ...@@ -48,33 +49,34 @@ describe 'SAST.gitlab-ci.yml' do
end end
end end
context 'when SAST_DISABLE_DIND=1' do context 'when SAST_DISABLE_DIND=true' do
before do before do
create(:ci_variable, project: project, key: 'SAST_DISABLE_DIND', value: '1') create(:ci_variable, project: project, key: 'SAST_DISABLE_DIND', value: 'true')
end end
describe 'language detection' do describe 'language detection' do
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
where(:case_name, :variables, :include_build_names) do where(:case_name, :files, :variables, :include_build_names) do
'No match' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "" } | %w(secrets-sast) 'No match' | { 'README.md' => '' } | {} | %w(secrets-sast)
'Apex' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "apex" } | %w(pmd-apex-sast secrets-sast) 'Apex' | { 'app.cls' => '' } | {} | %w(pmd-apex-sast secrets-sast)
'C' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "c" } | %w(flawfinder-sast secrets-sast) 'C' | { 'app.c' => '' } | {} | %w(flawfinder-sast secrets-sast)
'C++' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "c++" } | %w(flawfinder-sast secrets-sast) 'C++' | { 'app.cpp' => '' } | {} | %w(flawfinder-sast secrets-sast)
'C#' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "c#" } | %w(security-code-scan-sast secrets-sast) 'C#' | { 'app.csproj' => '' } | {} | %w(security-code-scan-sast secrets-sast)
'Elixir' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "elixir" } | %w(sobelow-sast secrets-sast) 'Elixir' | { 'mix.ex' => '' } | {} | %w(sobelow-sast secrets-sast)
'Golang' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "go" } | %w(gosec-sast secrets-sast) 'Golang' | { 'main.go' => '' } | {} | %w(gosec-sast secrets-sast)
'Groovy' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "groovy" } | %w(spotbugs-sast secrets-sast) 'Groovy' | { 'app.groovy' => '' } | {} | %w(spotbugs-sast secrets-sast)
'Java' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "java" } | %w(spotbugs-sast secrets-sast) 'Java' | { 'app.java' => '' } | {} | %w(spotbugs-sast secrets-sast)
'Javascript' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "javascript" } | %w(eslint-sast nodejs-scan-sast secrets-sast) 'Javascript' | { 'app.js' => '' } | {} | %w(eslint-sast nodejs-scan-sast secrets-sast)
'Kubernetes Manifests' | { "SCAN_KUBERNETES_MANIFESTS" => "true" } | %w(kubesec-sast secrets-sast) 'HTML' | { 'index.html' => '' } | {} | %w(eslint-sast secrets-sast)
'Multiple languages' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "java,javascript" } | %w(eslint-sast nodejs-scan-sast spotbugs-sast secrets-sast) 'Kubernetes Manifests' | { 'Chart.yaml' => '' } | { 'SCAN_KUBERNETES_MANIFESTS' => 'true' } | %w(kubesec-sast secrets-sast)
'PHP' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "php" } | %w(phpcs-security-audit-sast secrets-sast) 'Multiple languages' | { 'app.java' => '', 'app.js' => '' } | {} | %w(eslint-sast nodejs-scan-sast spotbugs-sast secrets-sast)
'Python' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "python" } | %w(bandit-sast secrets-sast) 'PHP' | { 'app.php' => '' } | {} | %w(phpcs-security-audit-sast secrets-sast)
'Ruby' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "ruby" } | %w(brakeman-sast secrets-sast) 'Python' | { 'app.py' => '' } | {} | %w(bandit-sast secrets-sast)
'Scala' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "scala" } | %w(spotbugs-sast secrets-sast) 'Ruby' | { 'application.rb' => '' } | {} | %w(brakeman-sast secrets-sast)
'Typescript' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "typescript" } | %w(tslint-sast secrets-sast) 'Scala' | { 'app.scala' => '' } | {} | %w(spotbugs-sast secrets-sast)
'Visual Basic' | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "visual basic" } | %w(security-code-scan-sast secrets-sast) 'Typescript' | { 'app.ts' => '' } | {} | %w(tslint-sast secrets-sast)
'Visual Basic' | { 'app.vbproj' => '' } | {} | %w(security-code-scan-sast secrets-sast)
end end
with_them do with_them do
......
...@@ -23,11 +23,10 @@ sast: ...@@ -23,11 +23,10 @@ sast:
artifacts: artifacts:
reports: reports:
sast: gl-sast-report.json sast: gl-sast-report.json
only: rules:
refs: - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'true'
- branches when: never
variables: - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast\b/
- $GITLAB_FEATURES =~ /\bsast\b/
image: docker:stable image: docker:stable
variables: variables:
SEARCH_MAX_DEPTH: 4 SEARCH_MAX_DEPTH: 4
...@@ -48,18 +47,15 @@ sast: ...@@ -48,18 +47,15 @@ sast:
--volume "$PWD:/code" \ --volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \ --volume /var/run/docker.sock:/var/run/docker.sock \
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_ANALYZER_IMAGE_TAG" /app/bin/run /code "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_ANALYZER_IMAGE_TAG" /app/bin/run /code
except:
variables:
- $SAST_DISABLED
- $SAST_DISABLE_DIND == 'true'
.sast-analyzer: .sast-analyzer:
extends: sast extends: sast
services: [] services: []
except: rules:
variables: - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
- $SAST_DISABLED when: never
- $SAST_DISABLE_DIND == 'false' - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/
script: script:
- /analyzer run - /analyzer run
...@@ -67,49 +63,65 @@ bandit-sast: ...@@ -67,49 +63,65 @@ bandit-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG" name: "$SAST_ANALYZER_IMAGE_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
only: rules:
variables: - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bsast\b/ && when: never
$SAST_DEFAULT_ANALYZERS =~ /bandit/&& - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bpython\b/ $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /bandit/
exists:
- '**/*.py'
brakeman-sast: brakeman-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG" name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
only: rules:
variables: - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bsast\b/ && when: never
$SAST_DEFAULT_ANALYZERS =~ /brakeman/ && - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bruby\b/ $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /brakeman/
exists:
- '**/*.rb'
eslint-sast: eslint-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG" name: "$SAST_ANALYZER_IMAGE_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
only: rules:
variables: - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bsast\b/ && when: never
$SAST_DEFAULT_ANALYZERS =~ /eslint/ && - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/ $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /eslint/
exists:
- '**/*.html'
- '**/*.js'
flawfinder-sast: flawfinder-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG" name: "$SAST_ANALYZER_IMAGE_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
only: rules:
variables: - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bsast\b/ && when: never
$SAST_DEFAULT_ANALYZERS =~ /flawfinder/ && - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /(c(\+\+)?,)|(c(\+\+)?$)/ $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /flawfinder/
exists:
- '**/*.c'
- '**/*.cpp'
kubesec-sast: kubesec-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG" name: "$SAST_ANALYZER_IMAGE_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
only: rules:
variables: - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bsast\b/ && when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /kubesec/ && $SAST_DEFAULT_ANALYZERS =~ /kubesec/ &&
$SCAN_KUBERNETES_MANIFESTS == 'true' $SCAN_KUBERNETES_MANIFESTS == 'true'
...@@ -117,87 +129,117 @@ gosec-sast: ...@@ -117,87 +129,117 @@ gosec-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG" name: "$SAST_ANALYZER_IMAGE_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
only: rules:
variables: - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bsast\b/ && when: never
$SAST_DEFAULT_ANALYZERS =~ /gosec/ && - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bgo\b/ $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /gosec/
exists:
- '**/*.go'
nodejs-scan-sast: nodejs-scan-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG" name: "$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
only: rules:
variables: - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bsast\b/ && when: never
$SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/ && - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/ $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/
exists:
- '**/*.js'
phpcs-security-audit-sast: phpcs-security-audit-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG" name: "$SAST_ANALYZER_IMAGE_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
only: rules:
variables: - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bsast\b/ && when: never
$SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/ && - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bphp\b/ $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/
exists:
- '**/*.php'
pmd-apex-sast: pmd-apex-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG" name: "$SAST_ANALYZER_IMAGE_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
only: rules:
variables: - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bsast\b/ && when: never
$SAST_DEFAULT_ANALYZERS =~ /pmd-apex/ && - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bapex\b/ $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /pmd-apex/
exists:
- '**/*.cls'
secrets-sast: secrets-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG" name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG"
only: rules:
variables: - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bsast\b/ && when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /secrets/ $SAST_DEFAULT_ANALYZERS =~ /secrets/
security-code-scan-sast: security-code-scan-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG" name: "$SAST_ANALYZER_IMAGE_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
only: rules:
variables: - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bsast\b/ && when: never
$SAST_DEFAULT_ANALYZERS =~ /security-code-scan/ && - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(c\#|visual basic\b)/ $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /security-code-scan/
exists:
- '**/*.csproj'
- '**/*.vbproj'
sobelow-sast: sobelow-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG" name: "$SAST_ANALYZER_IMAGE_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
only: rules:
variables: - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bsast\b/ && when: never
$SAST_DEFAULT_ANALYZERS =~ /sobelow/ && - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\belixir\b/ $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /sobelow/
exists:
- '**/*.ex'
- '**/*.exs'
spotbugs-sast: spotbugs-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG" name: "$SAST_ANALYZER_IMAGE_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
only: rules:
variables: - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bsast\b/ && when: never
$SAST_DEFAULT_ANALYZERS =~ /spotbugs/ && - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(groovy|java|scala)\b/ $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /spotbugs/
exists:
- '**/*.groovy'
- '**/*.java'
- '**/*.scala'
tslint-sast: tslint-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/tslint:$SAST_ANALYZER_IMAGE_TAG" name: "$SAST_ANALYZER_IMAGE_PREFIX/tslint:$SAST_ANALYZER_IMAGE_TAG"
only: rules:
variables: - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
- $GITLAB_FEATURES =~ /\bsast\b/ && when: never
$SAST_DEFAULT_ANALYZERS =~ /tslint/ && - if: $CI_COMMIT_BRANCH &&
$CI_PROJECT_REPOSITORY_LANGUAGES =~ /\btypescript\b/ $GITLAB_FEATURES =~ /\bsast\b/ &&
$SAST_DEFAULT_ANALYZERS =~ /tslint/
exists:
- '**/*.ts'
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment