Commit b36fc45e authored by Adam Cohen's avatar Adam Cohen Committed by Sean McGivern

Add comments to document internal secure variables

parent c6ec6a91
...@@ -18,6 +18,9 @@ container_scanning: ...@@ -18,6 +18,9 @@ container_scanning:
# file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template # file. See https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html#overriding-the-container-scanning-template
# for details # for details
GIT_STRATEGY: none GIT_STRATEGY: none
# CS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
CS_ANALYZER_IMAGE: $SECURE_ANALYZERS_PREFIX/klar:$CS_MAJOR_VERSION CS_ANALYZER_IMAGE: $SECURE_ANALYZERS_PREFIX/klar:$CS_MAJOR_VERSION
allow_failure: true allow_failure: true
services: services:
......
...@@ -38,6 +38,9 @@ gemnasium-dependency_scanning: ...@@ -38,6 +38,9 @@ gemnasium-dependency_scanning:
image: image:
name: "$DS_ANALYZER_IMAGE" name: "$DS_ANALYZER_IMAGE"
variables: variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION" DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED - if: $DEPENDENCY_SCANNING_DISABLED
...@@ -61,6 +64,9 @@ gemnasium-maven-dependency_scanning: ...@@ -61,6 +64,9 @@ gemnasium-maven-dependency_scanning:
image: image:
name: "$DS_ANALYZER_IMAGE" name: "$DS_ANALYZER_IMAGE"
variables: variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION" DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED - if: $DEPENDENCY_SCANNING_DISABLED
...@@ -79,6 +85,9 @@ gemnasium-python-dependency_scanning: ...@@ -79,6 +85,9 @@ gemnasium-python-dependency_scanning:
image: image:
name: "$DS_ANALYZER_IMAGE" name: "$DS_ANALYZER_IMAGE"
variables: variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION" DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED - if: $DEPENDENCY_SCANNING_DISABLED
...@@ -104,6 +113,9 @@ bundler-audit-dependency_scanning: ...@@ -104,6 +113,9 @@ bundler-audit-dependency_scanning:
image: image:
name: "$DS_ANALYZER_IMAGE" name: "$DS_ANALYZER_IMAGE"
variables: variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION" DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED - if: $DEPENDENCY_SCANNING_DISABLED
...@@ -119,6 +131,9 @@ retire-js-dependency_scanning: ...@@ -119,6 +131,9 @@ retire-js-dependency_scanning:
image: image:
name: "$DS_ANALYZER_IMAGE" name: "$DS_ANALYZER_IMAGE"
variables: variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION" DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
rules: rules:
- if: $DEPENDENCY_SCANNING_DISABLED - if: $DEPENDENCY_SCANNING_DISABLED
......
...@@ -41,6 +41,9 @@ bandit-sast: ...@@ -41,6 +41,9 @@ bandit-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -57,6 +60,9 @@ brakeman-sast: ...@@ -57,6 +60,9 @@ brakeman-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -74,6 +80,9 @@ eslint-sast: ...@@ -74,6 +80,9 @@ eslint-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -94,6 +103,9 @@ flawfinder-sast: ...@@ -94,6 +103,9 @@ flawfinder-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -111,6 +123,9 @@ kubesec-sast: ...@@ -111,6 +123,9 @@ kubesec-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -126,6 +141,9 @@ gosec-sast: ...@@ -126,6 +141,9 @@ gosec-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -147,6 +165,9 @@ mobsf-android-sast: ...@@ -147,6 +165,9 @@ mobsf-android-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG"
MOBSF_API_KEY: key MOBSF_API_KEY: key
rules: rules:
...@@ -170,6 +191,9 @@ mobsf-ios-sast: ...@@ -170,6 +191,9 @@ mobsf-ios-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG"
MOBSF_API_KEY: key MOBSF_API_KEY: key
rules: rules:
...@@ -188,6 +212,9 @@ nodejs-scan-sast: ...@@ -188,6 +212,9 @@ nodejs-scan-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -204,6 +231,9 @@ phpcs-security-audit-sast: ...@@ -204,6 +231,9 @@ phpcs-security-audit-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -220,6 +250,9 @@ pmd-apex-sast: ...@@ -220,6 +250,9 @@ pmd-apex-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -236,6 +269,9 @@ security-code-scan-sast: ...@@ -236,6 +269,9 @@ security-code-scan-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -253,6 +289,9 @@ semgrep-sast: ...@@ -253,6 +289,9 @@ semgrep-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:latest" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:latest"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -270,6 +309,9 @@ sobelow-sast: ...@@ -270,6 +309,9 @@ sobelow-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -286,6 +328,9 @@ spotbugs-sast: ...@@ -286,6 +328,9 @@ spotbugs-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
# SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_EXCLUDED_ANALYZERS =~ /spotbugs/ - if: $SAST_EXCLUDED_ANALYZERS =~ /spotbugs/
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment