Skip to content

G
gitlab-ce
Commit 48698a62 authored by Philippe Lafoucrière's avatar Philippe Lafoucrière
Browse files
Options

Clean-up secure jobs config

parent 1e6a860a
Hide whitespace changes
Inline Side-by-side
Showing with 1 addition and 14 deletions
.gitlab/ci/reports.gitlab-ci.yml
View file @ 48698a62
...@@ -32,11 +32,9 @@ code_quality: ...@@ -32,11 +32,9 @@ code_quality:
brakeman-sast: brakeman-sast:
rules: !reference [".reports:rules:brakeman-sast", rules] rules: !reference [".reports:rules:brakeman-sast", rules]
allow_failure: true
semgrep-sast: semgrep-sast:
rules: !reference [".reports:rules:semgrep-sast", rules] rules: !reference [".reports:rules:semgrep-sast", rules]
allow_failure: true
gosec-sast: gosec-sast:
variables: variables:
...@@ -53,7 +51,6 @@ gosec-sast: ...@@ -53,7 +51,6 @@ gosec-sast:
paths: paths:
- vendor/go - vendor/go
rules: !reference [".reports:rules:gosec-sast", rules] rules: !reference [".reports:rules:gosec-sast", rules]
allow_failure: true
.secret-analyzer: .secret-analyzer:
extends: .default-retry extends: .default-retry
...@@ -65,7 +62,6 @@ gosec-sast: ...@@ -65,7 +62,6 @@ gosec-sast:
secret_detection: secret_detection:
rules: !reference [".reports:rules:secret_detection", rules] rules: !reference [".reports:rules:secret_detection", rules]
allow_failure: true
.ds-analyzer: .ds-analyzer:
# We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template. # We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template.
...@@ -75,6 +71,7 @@ secret_detection: ...@@ -75,6 +71,7 @@ secret_detection:
needs: [] needs: []
variables: variables:
DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp" # GitLab-specific DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp" # GitLab-specific
DS_EXCLUDED_ANALYZERS: "gemnasium-maven"
artifacts: artifacts:
paths: paths:
- gl-dependency-scanning-report.json # GitLab-specific - gl-dependency-scanning-report.json # GitLab-specific
...@@ -84,25 +81,16 @@ gemnasium-dependency_scanning: ...@@ -84,25 +81,16 @@ gemnasium-dependency_scanning:
before_script: before_script:
# git-lfs is needed for auto-remediation # git-lfs is needed for auto-remediation
- apk add git-lfs - apk add git-lfs
after_script:
# Post-processing
- apk add jq
# Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390
- jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json
rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules] rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules]
allow_failure: true
bundler-audit-dependency_scanning: bundler-audit-dependency_scanning:
rules: !reference [".reports:rules:bundler-audit-dependency_scanning", rules] rules: !reference [".reports:rules:bundler-audit-dependency_scanning", rules]
allow_failure: true
retire-js-dependency_scanning: retire-js-dependency_scanning:
rules: !reference [".reports:rules:retire-js-dependency_scanning", rules] rules: !reference [".reports:rules:retire-js-dependency_scanning", rules]
allow_failure: true
gemnasium-python-dependency_scanning: gemnasium-python-dependency_scanning:
rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules] rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules]
allow_failure: true
# Analyze dependencies for malicious behavior # Analyze dependencies for malicious behavior
# See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter # See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
...@@ -150,4 +138,3 @@ license_scanning: ...@@ -150,4 +138,3 @@ license_scanning:
artifacts: artifacts:
expire_in: 1 week # GitLab-specific expire_in: 1 week # GitLab-specific
rules: !reference [".reports:rules:license_scanning", rules] rules: !reference [".reports:rules:license_scanning", rules]
allow_failure: true
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7