Commit 623760e6 authored by rossfuhrman's avatar rossfuhrman

Move away from docker-in-docker for SAST

With this change, we are no longer using docker-in-docker for SAST for
the gitlab-org/gitlab project
parent 941a175d
...@@ -43,16 +43,16 @@ code_quality: ...@@ -43,16 +43,16 @@ code_quality:
# We need to duplicate this job's definition because it seems it's impossible to # We need to duplicate this job's definition because it seems it's impossible to
# override an included `only.refs`. # override an included `only.refs`.
# See https://gitlab.com/gitlab-org/gitlab/issues/31371. # See https://gitlab.com/gitlab-org/gitlab/issues/31371.
# Once https://gitlab.com/gitlab-org/gitlab/merge_requests/16487 will be deployed .sast:
# to GitLab.com, we should be able to use the template and set SAST_DISABLE_DIND: "true".
sast:
extends: extends:
- .default-retry - .default-retry
- .reports:rules:sast - .reports:rules:sast
- .use-docker-in-docker - .use-docker-in-docker
stage: test stage: test
allow_failure: true # `needs: []` starts the job immediately in the pipeline
# https://docs.gitlab.com/ee/ci/yaml/README.html#needs
needs: [] needs: []
allow_failure: true
artifacts: artifacts:
paths: paths:
- gl-sast-report.json # GitLab-specific - gl-sast-report.json # GitLab-specific
...@@ -63,22 +63,39 @@ sast: ...@@ -63,22 +63,39 @@ sast:
# emptying DOCKER_HOST so it can be detected properly on kubernetes executor # emptying DOCKER_HOST so it can be detected properly on kubernetes executor
# with the script below # with the script below
DOCKER_HOST: "" DOCKER_HOST: ""
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
SAST_ANALYZER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SAST_ANALYZER_IMAGE_TAG: 2
SAST_BRAKEMAN_LEVEL: 2 # GitLab-specific SAST_BRAKEMAN_LEVEL: 2 # GitLab-specific
SAST_EXCLUDED_PATHS: qa,spec,doc,ee/spec # GitLab-specific SAST_EXCLUDED_PATHS: qa,spec,doc,ee/spec # GitLab-specific
script: script:
- export SAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')} - /analyzer run
- |
if ! docker info &>/dev/null; then brakeman-sast:
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then extends: .sast
export DOCKER_HOST='tcp://localhost:2375' image:
fi name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
fi
- | eslint-sast:
ENVS=`printenv | grep -vE '^(DOCKER_|CI|GITLAB_|FF_|HOME|PWD|OLDPWD|PATH|SHLVL|HOSTNAME)' | sed -n '/^[^\t]/s/=.*//p' | sed '/^$/d' | sed 's/^/-e /g' | tr '\n' ' '` extends: .sast
docker run "$ENVS" \ image:
--volume "$PWD:/code" \ name: "$SAST_ANALYZER_IMAGE_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
--volume /var/run/docker.sock:/var/run/docker.sock \
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code kubesec-sast:
extends: .sast
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
nodejs-scan-sast:
extends: .sast
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
secrets-sast:
extends: .sast
image:
name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG"
# We need to duplicate this job's definition because it seems it's impossible to # We need to duplicate this job's definition because it seems it's impossible to
# override an included `only.refs`. # override an included `only.refs`.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment