Commit 56a067b7 authored by Rémy Coutable's avatar Rémy Coutable

Merge branch '234011-remove-secret-sast-from-sast-template' into 'master'

Remove secret_detection job from vendored SAST CI template

See merge request gitlab-org/gitlab!40028
parents 91e71c4f dbbb4703
......@@ -81,7 +81,13 @@ nodejs-scan-sast:
secrets-sast:
extends: .sast
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG"
name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:3"
artifacts:
paths:
- gl-secret-detection-report.json # GitLab-specific
reports:
sast: gl-secret-detection-report.json
expire_in: 1 week # GitLab-specific
# We need to duplicate this job's definition because it seems it's impossible to
# override an included `only.refs`.
......
---
title: Remove secret_detection job from vendored SAST CI template
merge_request: 40028
author:
type: removed
......@@ -28,7 +28,6 @@ SAST supports the following official analyzers:
- [`nodejs-scan`](https://gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan) (NodeJsScan)
- [`phpcs-security-audit`](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit) (PHP CS security-audit)
- [`pmd-apex`](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex) (PMD (Apex only))
- [`secrets`](https://gitlab.com/gitlab-org/security-products/analyzers/secrets) (Secrets (Gitleaks & TruffleHog secret detectors))
- [`security-code-scan`](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan) (Security Code Scan (.NET))
- [`sobelow`](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow) (Sobelow (Elixir Phoenix))
- [`spotbugs`](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs) (SpotBugs with the Find Sec Bugs plugin (Ant, Gradle and wrapper, Grails, Maven and wrapper, SBT))
......
......@@ -65,7 +65,6 @@ The following table shows which languages, package managers and frameworks are s
|--------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| .NET Core | [Security Code Scan](https://security-code-scan.github.io) | 11.0, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
| .NET Framework | [Security Code Scan](https://security-code-scan.github.io) | 13.0, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
| Any | [Gitleaks](https://github.com/zricethezav/gitleaks) and [TruffleHog](https://github.com/dxa4481/truffleHog) | 11., [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
| Apex (Salesforce) | [PMD](https://pmd.github.io/pmd/index.html) | 12.1, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
| C/C++ | [Flawfinder](https://github.com/david-a-wheeler/flawfinder) | 10.7, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
| Elixir (Phoenix) | [Sobelow](https://github.com/nccgroup/sobelow) | 11.10, [moved](https://gitlab.com/groups/gitlab-org/-/epics/2098) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.3 |
......@@ -340,11 +339,7 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre
| `SAST_BANDIT_EXCLUDED_PATHS` | | Comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*, */venv/*'` |
| `SAST_BRAKEMAN_LEVEL` | 1 | Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low 3=High. |
| `SAST_FLAWFINDER_LEVEL` | 1 | Ignore Flawfinder vulnerabilities under given risk level. Integer, 0=No risk, 5=High risk. |
| `SAST_GITLEAKS_ENTROPY_LEVEL` | 8.0 | Minimum entropy for secret detection. Float, 0.0 = low, 8.0 = high. |
| `SAST_GOSEC_LEVEL` | 0 | Ignore Gosec vulnerabilities under given confidence level. Integer, 0=Undefined, 1=Low, 2=Medium, 3=High. |
| `SAST_GITLEAKS_COMMIT_FROM` | | The commit a Gitleaks scan starts at. |
| `SAST_GITLEAKS_COMMIT_TO` | | The commit a Gitleaks scan ends at. |
| `SAST_GITLEAKS_HISTORIC_SCAN` | `false` | Flag to enable a historic Gitleaks scan. |
#### Docker-in-Docker orchestrator
......@@ -543,7 +538,6 @@ registry.gitlab.com/gitlab-org/security-products/analyzers/kubesec:2
registry.gitlab.com/gitlab-org/security-products/analyzers/nodejs-scan:2
registry.gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit:2
registry.gitlab.com/gitlab-org/security-products/analyzers/pmd-apex:2
registry.gitlab.com/gitlab-org/security-products/analyzers/secrets:2
registry.gitlab.com/gitlab-org/security-products/analyzers/security-code-scan:2
registry.gitlab.com/gitlab-org/security-products/analyzers/sobelow:2
registry.gitlab.com/gitlab-org/security-products/analyzers/spotbugs:2
......
......@@ -36,28 +36,27 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
using RSpec::Parameterized::TableSyntax
where(:case_name, :files, :variables, :include_build_names) do
'No match' | { 'README.md' => '' } | {} | %w(secrets-sast)
'Apex' | { 'app.cls' => '' } | {} | %w(pmd-apex-sast secrets-sast)
'C' | { 'app.c' => '' } | {} | %w(flawfinder-sast secrets-sast)
'C++' | { 'app.cpp' => '' } | {} | %w(flawfinder-sast secrets-sast)
'C#' | { 'app.csproj' => '' } | {} | %w(security-code-scan-sast secrets-sast)
'Elixir' | { 'mix.exs' => '' } | {} | %w(sobelow-sast secrets-sast)
'Golang' | { 'main.go' => '' } | {} | %w(gosec-sast secrets-sast)
'Groovy' | { 'app.groovy' => '' } | {} | %w(spotbugs-sast secrets-sast)
'Java' | { 'app.java' => '' } | {} | %w(spotbugs-sast secrets-sast)
'Javascript' | { 'app.js' => '' } | {} | %w(eslint-sast secrets-sast)
'JSX' | { 'app.jsx' => '' } | {} | %w(eslint-sast secrets-sast)
'Javascript Node' | { 'package.json' => '' } | {} | %w(nodejs-scan-sast secrets-sast)
'HTML' | { 'index.html' => '' } | {} | %w(eslint-sast secrets-sast)
'Kubernetes Manifests' | { 'Chart.yaml' => '' } | { 'SCAN_KUBERNETES_MANIFESTS' => 'true' } | %w(kubesec-sast secrets-sast)
'Multiple languages' | { 'app.java' => '', 'app.js' => '' } | {} | %w(eslint-sast spotbugs-sast secrets-sast)
'PHP' | { 'app.php' => '' } | {} | %w(phpcs-security-audit-sast secrets-sast)
'Python' | { 'app.py' => '' } | {} | %w(bandit-sast secrets-sast)
'Ruby' | { 'config/routes.rb' => '' } | {} | %w(brakeman-sast secrets-sast)
'Scala' | { 'app.scala' => '' } | {} | %w(spotbugs-sast secrets-sast)
'Typescript' | { 'app.ts' => '' } | {} | %w(eslint-sast secrets-sast)
'Typescript JSX' | { 'app.tsx' => '' } | {} | %w(eslint-sast secrets-sast)
'Visual Basic' | { 'app.vbproj' => '' } | {} | %w(security-code-scan-sast secrets-sast)
'Apex' | { 'app.cls' => '' } | {} | %w(pmd-apex-sast)
'C' | { 'app.c' => '' } | {} | %w(flawfinder-sast)
'C++' | { 'app.cpp' => '' } | {} | %w(flawfinder-sast)
'C#' | { 'app.csproj' => '' } | {} | %w(security-code-scan-sast)
'Elixir' | { 'mix.exs' => '' } | {} | %w(sobelow-sast)
'Golang' | { 'main.go' => '' } | {} | %w(gosec-sast)
'Groovy' | { 'app.groovy' => '' } | {} | %w(spotbugs-sast)
'Java' | { 'app.java' => '' } | {} | %w(spotbugs-sast)
'Javascript' | { 'app.js' => '' } | {} | %w(eslint-sast)
'JSX' | { 'app.jsx' => '' } | {} | %w(eslint-sast)
'Javascript Node' | { 'package.json' => '' } | {} | %w(nodejs-scan-sast)
'HTML' | { 'index.html' => '' } | {} | %w(eslint-sast)
'Kubernetes Manifests' | { 'Chart.yaml' => '' } | { 'SCAN_KUBERNETES_MANIFESTS' => 'true' } | %w(kubesec-sast)
'Multiple languages' | { 'app.java' => '', 'app.js' => '' } | {} | %w(eslint-sast spotbugs-sast)
'PHP' | { 'app.php' => '' } | {} | %w(phpcs-security-audit-sast)
'Python' | { 'app.py' => '' } | {} | %w(bandit-sast)
'Ruby' | { 'config/routes.rb' => '' } | {} | %w(brakeman-sast)
'Scala' | { 'app.scala' => '' } | {} | %w(spotbugs-sast)
'Typescript' | { 'app.ts' => '' } | {} | %w(eslint-sast)
'Typescript JSX' | { 'app.tsx' => '' } | {} | %w(eslint-sast)
'Visual Basic' | { 'app.vbproj' => '' } | {} | %w(security-code-scan-sast)
end
with_them do
......
......@@ -9,7 +9,7 @@ variables:
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kubesec"
SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, sobelow, pmd-apex, kubesec"
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
SAST_ANALYZER_IMAGE_TAG: 2
SAST_DISABLE_DIND: "true"
......@@ -186,18 +186,6 @@ pmd-apex-sast:
exists:
- '**/*.cls'
secrets-sast:
extends: .sast-analyzer
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG"
rules:
- if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /secrets/
security-code-scan-sast:
extends: .sast-analyzer
image:
......
......@@ -513,7 +513,7 @@ RSpec.describe Ci::CreatePipelineService do
it 'pull it from Auto-DevOps' do
pipeline = execute_service
expect(pipeline).to be_auto_devops_source
expect(pipeline.builds.map(&:name)).to match_array(%w[build code_quality eslint-sast secret_detection_default_branch secrets-sast test])
expect(pipeline.builds.map(&:name)).to match_array(%w[build code_quality eslint-sast secret_detection_default_branch test])
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment