Commit b66b1ca9 authored by Tetiana Chupryna's avatar Tetiana Chupryna

Merge branch 'revert-4c24d8aa' into 'master'

Revert "feat: Update SECURE_ANALYZER_PREFIX in all Sec Section templates"

See merge request gitlab-org/gitlab!80195
parents 6c7980a7 45aeaf01
...@@ -5,7 +5,7 @@ ...@@ -5,7 +5,7 @@
extends: extends:
- .reports:rules:schedule-dast - .reports:rules:schedule-dast
image: image:
name: "registry.gitlab.com/security-products/dast:$DAST_VERSION" name: "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION"
resource_group: dast_scan resource_group: dast_scan
variables: variables:
DAST_USERNAME_FIELD: "user[login]" DAST_USERNAME_FIELD: "user[login]"
......
...@@ -2,8 +2,8 @@ ...@@ -2,8 +2,8 @@
"$schema": "http://json-schema.org/draft-07/schema#", "$schema": "http://json-schema.org/draft-07/schema#",
"global": [ "global": [
{ {
"field": "SECURE_ANALYZERS_PREFIX", "field" : "SECURE_ANALYZERS_PREFIX",
"label": "Image prefix", "label" : "Image prefix",
"type": "string", "type": "string",
"default_value": "", "default_value": "",
"value": "", "value": "",
......
...@@ -1163,11 +1163,11 @@ Steps: ...@@ -1163,11 +1163,11 @@ Steps:
The Docker image for API Fuzzing must be pulled (downloaded) from the public registry and then pushed (imported) into a local registry. The GitLab container registry can be used to locally host the Docker image. This process can be performed using a special template. See [loading Docker images onto your offline host](../offline_deployments/index.md#loading-docker-images-onto-your-offline-host) for instructions. The Docker image for API Fuzzing must be pulled (downloaded) from the public registry and then pushed (imported) into a local registry. The GitLab container registry can be used to locally host the Docker image. This process can be performed using a special template. See [loading Docker images onto your offline host](../offline_deployments/index.md#loading-docker-images-onto-your-offline-host) for instructions.
Once the Docker image is hosted locally, the `SECURE_ANALYZERS_PREFIX` variable is set with the location of the local registry. The variable must be set such that concatenating `/api-security:1` results in a valid image location. Once the Docker image is hosted locally, the `SECURE_ANALYZERS_PREFIX` variable is set with the location of the local registry. The variable must be set such that concatenating `/api-fuzzing:1` results in a valid image location.
For example, the below line sets a registry for the image `registry.gitlab.com/security-products/api-security:1`: For example, the below line sets a registry for the image `registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:1`:
`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"` `SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"`
NOTE: NOTE:
Setting `SECURE_ANALYZERS_PREFIX` changes the Docker image registry location for all GitLab Secure templates. Setting `SECURE_ANALYZERS_PREFIX` changes the Docker image registry location for all GitLab Secure templates.
......
...@@ -1125,9 +1125,9 @@ Once the Docker image is hosted locally, the `SECURE_ANALYZERS_PREFIX` variable ...@@ -1125,9 +1125,9 @@ Once the Docker image is hosted locally, the `SECURE_ANALYZERS_PREFIX` variable
NOTE: NOTE:
DAST API and API Fuzzing both use the same underlying Docker image `api-fuzzing:1`. DAST API and API Fuzzing both use the same underlying Docker image `api-fuzzing:1`.
For example, the below line sets a registry for the image `registry.gitlab.com/security-products/api-fuzzing:1`: For example, the below line sets a registry for the image `registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:1`:
`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"` `SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"`
NOTE: NOTE:
Setting `SECURE_ANALYZERS_PREFIX` changes the Docker image registry location for all GitLab Secure templates. Setting `SECURE_ANALYZERS_PREFIX` changes the Docker image registry location for all GitLab Secure templates.
......
...@@ -45,7 +45,7 @@ Any custom change to the official analyzers can be achieved by using a ...@@ -45,7 +45,7 @@ Any custom change to the official analyzers can be achieved by using a
You can switch to a custom Docker registry that provides the official analyzer You can switch to a custom Docker registry that provides the official analyzer
images under a different prefix. For instance, the following instructs Dependency images under a different prefix. For instance, the following instructs Dependency
Scanning to pull `my-docker-registry/gl-images/gemnasium` Scanning to pull `my-docker-registry/gl-images/gemnasium`
instead of `registry.gitlab.com/security-products/dependency-scanning/gemnasium`. instead of `registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium`.
In `.gitlab-ci.yml` define: In `.gitlab-ci.yml` define:
```yaml ```yaml
......
...@@ -779,11 +779,11 @@ import the following default dependency scanning analyzer images from `registry. ...@@ -779,11 +779,11 @@ import the following default dependency scanning analyzer images from `registry.
your [local Docker container registry](../../packages/container_registry/index.md): your [local Docker container registry](../../packages/container_registry/index.md):
```plaintext ```plaintext
registry.gitlab.com/security-products/dependency-scanning/gemnasium:2 registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium:2
registry.gitlab.com/security-products/dependency-scanning/gemnasium-maven:2 registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven:2
registry.gitlab.com/security-products/dependency-scanning/gemnasium-python:2 registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python:2
registry.gitlab.com/security-products/dependency-scanning/retire.js:2 registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2
registry.gitlab.com/security-products/dependency-scanning/bundler-audit:2 registry.gitlab.com/gitlab-org/security-products/analyzers/bundler-audit:2
``` ```
The process for importing Docker images into a local offline Docker registry depends on The process for importing Docker images into a local offline Docker registry depends on
...@@ -1082,4 +1082,4 @@ analyzers, edit your `gitlab-ci.yml` file and either: ...@@ -1082,4 +1082,4 @@ analyzers, edit your `gitlab-ci.yml` file and either:
For example, currently the `gemnasium-maven-dependency_scanning` job pulls the latest For example, currently the `gemnasium-maven-dependency_scanning` job pulls the latest
`gemnasium-maven` Docker image because `DS_ANALYZER_IMAGE` is set to `gemnasium-maven` Docker image because `DS_ANALYZER_IMAGE` is set to
`"$SECURE_ANALYZERS_PREFIX/dependency-scanning/gemnasium-maven:$DS_MAJOR_VERSION"`. `"$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"`.
...@@ -92,9 +92,11 @@ For more details about each of the security scanning tools, see their respective ...@@ -92,9 +92,11 @@ For more details about each of the security scanning tools, see their respective
### Override the default registry base address ### Override the default registry base address
By default, GitLab security scanners use `registry.gitlab.com/security-products` as the By default, GitLab security scanners use `registry.gitlab.com/gitlab-org/security-products/analyzers` as the
base address for Docker images. You can override this globally by setting the CI/CD variable base address for Docker images. You can override this globally by setting the CI/CD variable
`SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once. `SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once, except
the container-scanning analyzer which uses
`registry.gitlab.com/security-products/container-scanning` as its registry.
### Use security scanning tools with merge request pipelines ### Use security scanning tools with merge request pipelines
......
...@@ -179,7 +179,7 @@ set -ux ...@@ -179,7 +179,7 @@ set -ux
# Specify needed analyzer images # Specify needed analyzer images
analyzers=${SAST_ANALYZERS:-"bandit eslint gosec"} analyzers=${SAST_ANALYZERS:-"bandit eslint gosec"}
gitlab=registry.gitlab.com/security-products/sast/ gitlab=registry.gitlab.com/gitlab-org/security-products/analyzers/
for i in "${analyzers[@]}" for i in "${analyzers[@]}"
do do
......
...@@ -669,7 +669,7 @@ import the following default License Compliance analyzer images from `registry.g ...@@ -669,7 +669,7 @@ import the following default License Compliance analyzer images from `registry.g
offline [local Docker container registry](../../packages/container_registry/index.md): offline [local Docker container registry](../../packages/container_registry/index.md):
```plaintext ```plaintext
registry.gitlab.com/security-products/license-compliance/license-finder:latest registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:latest
``` ```
The process for importing Docker images into a local offline Docker registry depends on The process for importing Docker images into a local offline Docker registry depends on
...@@ -872,7 +872,7 @@ A full list of variables can be found in [CI/CD variables](#available-cicd-varia ...@@ -872,7 +872,7 @@ A full list of variables can be found in [CI/CD variables](#available-cicd-varia
To find out what tools are pre-installed in the `license_scanning` Docker image use the following command: To find out what tools are pre-installed in the `license_scanning` Docker image use the following command:
```shell ```shell
$ docker run --entrypoint='' registry.gitlab.com/security-products/license-compliance/license-finder:3 /bin/bash -lc 'asdf list' $ docker run --entrypoint='' registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3 /bin/bash -lc 'asdf list'
golang golang
1.14 1.14
gradle gradle
...@@ -899,7 +899,7 @@ sbt ...@@ -899,7 +899,7 @@ sbt
To interact with the `license_scanning` runtime environment use the following command: To interact with the `license_scanning` runtime environment use the following command:
```shell ```shell
$ docker run -it --entrypoint='' registry.gitlab.com/security-products/license-compliance/license-finder:3 /bin/bash -l $ docker run -it --entrypoint='' registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3 /bin/bash -l
root@6abb70e9f193:~# root@6abb70e9f193:~#
``` ```
......
...@@ -139,19 +139,9 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do ...@@ -139,19 +139,9 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
let(:expected_configuration) do let(:expected_configuration) do
{ {
'secret-detection-0': hash_including( 'secret-detection-0': hash_including(
rules: [ rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
{ if: '$SECRET_DETECTION_DISABLED', when: 'never' },
{
if: '$CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX',
variables: { SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX" }
},
{
if: "$CI_COMMIT_BRANCH",
variables: { SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX" }
}
],
stage: 'test', stage: 'test',
image: '$SECURE_ANALYZERS_PREFIX/secret-detection:$SECRETS_ANALYZER_VERSION', image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION',
services: [], services: [],
allow_failure: true, allow_failure: true,
artifacts: { artifacts: {
...@@ -161,9 +151,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do ...@@ -161,9 +151,7 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
}, },
variables: { variables: {
GIT_DEPTH: '50', GIT_DEPTH: '50',
SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix, SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
DEFAULT_SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
DEPRECATED_SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
SECRETS_ANALYZER_VERSION: '3', SECRETS_ANALYZER_VERSION: '3',
SECRET_DETECTION_EXCLUDED_PATHS: '', SECRET_DETECTION_EXCLUDED_PATHS: '',
SECRET_DETECTION_HISTORIC_SCAN: 'false' SECRET_DETECTION_HISTORIC_SCAN: 'false'
......
...@@ -10,8 +10,8 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do ...@@ -10,8 +10,8 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
describe 'the template file' do describe 'the template file' do
let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) } let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
let(:contents) { File.read(template_filename) } let(:contents) { File.read(template_filename) }
let(:production_registry) { '$SECURE_ANALYZERS_PREFIX/api-security:$FUZZAPI_VERSION' } let(:production_registry) { '${SECURE_ANALYZERS_PREFIX}/api-fuzzing:${FUZZAPI_VERSION}' }
let(:staging_registry) { '$SECURE_ANALYZERS_PREFIX/api-security-src:$FUZZAPI_VERSION' } let(:staging_registry) { '${SECURE_ANALYZERS_PREFIX}/api-fuzzing-src:${FUZZAPI_VERSION}' }
# Make sure future changes to the template use the production container registry. # Make sure future changes to the template use the production container registry.
# #
......
...@@ -10,8 +10,8 @@ RSpec.describe 'API-Fuzzing.latest.gitlab-ci.yml' do ...@@ -10,8 +10,8 @@ RSpec.describe 'API-Fuzzing.latest.gitlab-ci.yml' do
describe 'the template file' do describe 'the template file' do
let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) } let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
let(:contents) { File.read(template_filename) } let(:contents) { File.read(template_filename) }
let(:production_registry) { 'FUZZAPI_IMAGE: "api-security"' } let(:production_registry) { 'FUZZAPI_IMAGE: api-fuzzing' }
let(:staging_registry) { 'FUZZAPI_IMAGE: api-security-src' } let(:staging_registry) { 'FUZZAPI_IMAGE: api-fuzzing-src' }
# Make sure future changes to the template use the production container registry. # Make sure future changes to the template use the production container registry.
# #
......
...@@ -10,8 +10,8 @@ RSpec.describe 'DAST-API.gitlab-ci.yml' do ...@@ -10,8 +10,8 @@ RSpec.describe 'DAST-API.gitlab-ci.yml' do
describe 'the template file' do describe 'the template file' do
let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) } let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
let(:contents) { File.read(template_filename) } let(:contents) { File.read(template_filename) }
let(:production_registry) { 'DAST_API_IMAGE: "api-security"' } let(:production_registry) { '$SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION' }
let(:staging_registry) { 'DAST_API_IMAGE: "api-security-src"' } let(:staging_registry) { '$SECURE_ANALYZERS_PREFIX/api-fuzzing-src:$DAST_API_VERSION' }
# Make sure future changes to the template use the production container registry. # Make sure future changes to the template use the production container registry.
# #
......
...@@ -10,8 +10,8 @@ RSpec.describe 'DAST-API.latest.gitlab-ci.yml' do ...@@ -10,8 +10,8 @@ RSpec.describe 'DAST-API.latest.gitlab-ci.yml' do
describe 'the template file' do describe 'the template file' do
let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) } let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
let(:contents) { File.read(template_filename) } let(:contents) { File.read(template_filename) }
let(:production_registry) { 'DAST_API_IMAGE: api-security' } let(:production_registry) { 'DAST_API_IMAGE: api-fuzzing' }
let(:staging_registry) { 'DAST_API_IMAGE: api-security-src' } let(:staging_registry) { 'DAST_API_IMAGE: api-fuzzing-src' }
# Make sure future changes to the template use the production container registry. # Make sure future changes to the template use the production container registry.
# #
......
...@@ -114,9 +114,10 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do ...@@ -114,9 +114,10 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do
with_them do with_them do
let(:project) { create(:project, :custom_repo, files: files_at_depth_x) } let(:project) { create(:project, :custom_repo, files: files_at_depth_x) }
let(:files_at_depth_x) { files }
context 'with file at root' do context 'with file at root' do
let(:files_at_depth_x) { files }
it 'creates a pipeline with the expected jobs' do it 'creates a pipeline with the expected jobs' do
expect(build_names).to include(*include_build_names) expect(build_names).to include(*include_build_names)
end end
...@@ -147,8 +148,6 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do ...@@ -147,8 +148,6 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do
expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError) expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
end end
end end
it_behaves_like 'setting sec analyzer prefix dynamically', builds: params[:include_build_names], files: params[:files], namespace: 'dependency-scanning'
end end
end end
......
...@@ -98,8 +98,6 @@ RSpec.describe 'SAST.gitlab-ci.yml' do ...@@ -98,8 +98,6 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
it 'creates a pipeline with the expected jobs' do it 'creates a pipeline with the expected jobs' do
expect(build_names).to include(*include_build_names) expect(build_names).to include(*include_build_names)
end end
include_examples 'setting sec analyzer prefix dynamically', builds: params[:include_build_names], files: params[:files], namespace: 'sast'
end end
end end
end end
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe 'SAST-IaC.latest.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('SAST-IaC.latest') }
describe 'the created pipeline' do
let(:default_branch) { 'master' }
let(:files) { { 'README.md' => '' } }
let(:project) { create(:project, :custom_repo, files: files) }
let(:user) { project.first_owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master') }
let(:pipeline) { service.execute!(:push).payload }
let(:build_names) { pipeline.builds.pluck(:name) }
before do
stub_ci_pipeline_yaml_file(template.content)
allow_next_instance_of(Ci::BuildScheduleWorker) do |worker|
allow(worker).to receive(:perform).and_return(true)
end
allow(project).to receive(:default_branch).and_return(default_branch)
end
context 'when project has no license' do
context 'when SAST_DISABLED=1' do
before do
create(:ci_variable, project: project, key: 'SAST_DISABLED', value: '1')
end
it 'includes no jobs' do
expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
end
end
end
context 'by default' do
it 'creates a pipeline with the expected jobs' do
expect(build_names).to match_array(%w(kics-iac-sast))
end
end
describe 'setting SECURE_ANALYZER_PREFIX' do
it_behaves_like 'setting sec analyzer prefix dynamically', builds: %w(kics-iac-sast), namespace: 'sast'
end
end
end
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe 'Secret-Detection.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Secret-Detection') }
describe 'the created pipeline' do
let(:default_branch) { 'master' }
let(:files) { { 'README.md' => '' } }
let(:project) { create(:project, :custom_repo, files: files) }
let(:user) { project.first_owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master') }
let(:pipeline) { service.execute!(:push).payload }
let(:build_names) { pipeline.builds.pluck(:name) }
before do
stub_ci_pipeline_yaml_file(template.content)
allow_next_instance_of(Ci::BuildScheduleWorker) do |worker|
allow(worker).to receive(:perform).and_return(true)
end
allow(project).to receive(:default_branch).and_return(default_branch)
end
context 'when project has no license' do
context 'when SECRET_DETECTION_DISABLED=1' do
before do
create(:ci_variable, project: project, key: 'SECRET_DETECTION_DISABLED', value: '1')
end
it 'includes no jobs' do
expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
end
end
context 'by default' do
it 'creates a pipeline with the expected jobs' do
expect(build_names).to match_array(%w(secret_detection))
end
end
describe 'setting SECURE_ANALYZER_PREFIX' do
it_behaves_like 'setting sec analyzer prefix dynamically', builds: %w(secret_detection)
end
end
end
end
...@@ -52,7 +52,7 @@ RSpec.describe 'Secure-Binaries.gitlab-ci.yml' do ...@@ -52,7 +52,7 @@ RSpec.describe 'Secure-Binaries.gitlab-ci.yml' do
it_behaves_like 'an offline image download job' do it_behaves_like 'an offline image download job' do
it 'sets SECURE_BINARIES_IMAGE explicitly' do it 'sets SECURE_BINARIES_IMAGE explicitly' do
image = '${SECURE_ANALYZERS_PREFIX}/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}' image = 'registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}'
expect(build.variables.to_hash).to include('SECURE_BINARIES_IMAGE' => image) expect(build.variables.to_hash).to include('SECURE_BINARIES_IMAGE' => image)
end end
......
...@@ -28,13 +28,9 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d ...@@ -28,13 +28,9 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
it 'returns prepared CI configuration with Secret Detection scans' do it 'returns prepared CI configuration with Secret Detection scans' do
expected_configuration = { expected_configuration = {
rules: [ rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
{ if: '$SECRET_DETECTION_DISABLED', when: 'never' },
{ if: '$CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX', variables: { SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX" } },
{ if: '$CI_COMMIT_BRANCH', variables: { SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX" } }
],
stage: 'test', stage: 'test',
image: '$SECURE_ANALYZERS_PREFIX/secret-detection:$SECRETS_ANALYZER_VERSION', image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION',
services: [], services: [],
allow_failure: true, allow_failure: true,
artifacts: { artifacts: {
...@@ -44,9 +40,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d ...@@ -44,9 +40,7 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
}, },
variables: { variables: {
GIT_DEPTH: '50', GIT_DEPTH: '50',
SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/security-products', SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
DEFAULT_SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/security-products',
DEPRECATED_SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
SECRETS_ANALYZER_VERSION: '3', SECRETS_ANALYZER_VERSION: '3',
SECRET_DETECTION_EXCLUDED_PATHS: '', SECRET_DETECTION_EXCLUDED_PATHS: '',
SECRET_DETECTION_HISTORIC_SCAN: 'false' SECRET_DETECTION_HISTORIC_SCAN: 'false'
......
variables: variables:
# Setting this variable will affect all Security templates # Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...) # (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
# These placeholders will be removed in %15.0 with deprecation of previous registry path, see https://gitlab.com/groups/gitlab-org/-/epics/6162
DEFAULT_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
DEPRECATED_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
iac-sast: iac-sast:
...@@ -35,9 +31,4 @@ kics-iac-sast: ...@@ -35,9 +31,4 @@ kics-iac-sast:
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /kics/ - if: $SAST_EXCLUDED_ANALYZERS =~ /kics/
when: never when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
...@@ -6,10 +6,7 @@ ...@@ -6,10 +6,7 @@
variables: variables:
# Setting this variable will affect all Security templates # Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...) # (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
# These placeholders will be removed in %15.0 with deprecation of previous registry path, see https://gitlab.com/groups/gitlab-org/-/epics/6162
DEFAULT_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
DEPRECATED_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SAST_EXCLUDED_ANALYZERS: "" SAST_EXCLUDED_ANALYZERS: ""
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
...@@ -48,14 +45,7 @@ bandit-sast: ...@@ -48,14 +45,7 @@ bandit-sast:
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /bandit/ - if: $SAST_EXCLUDED_ANALYZERS =~ /bandit/
when: never when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.py'
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- '**/*.py' - '**/*.py'
...@@ -71,15 +61,7 @@ brakeman-sast: ...@@ -71,15 +61,7 @@ brakeman-sast:
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /brakeman/ - if: $SAST_EXCLUDED_ANALYZERS =~ /brakeman/
when: never when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.rb'
- '**/Gemfile'
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- '**/*.rb' - '**/*.rb'
- '**/Gemfile' - '**/Gemfile'
...@@ -96,18 +78,7 @@ eslint-sast: ...@@ -96,18 +78,7 @@ eslint-sast:
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /eslint/ - if: $SAST_EXCLUDED_ANALYZERS =~ /eslint/
when: never when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.html'
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- '**/*.html' - '**/*.html'
- '**/*.js' - '**/*.js'
...@@ -127,15 +98,7 @@ flawfinder-sast: ...@@ -127,15 +98,7 @@ flawfinder-sast:
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /flawfinder/ - if: $SAST_EXCLUDED_ANALYZERS =~ /flawfinder/
when: never when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.c'
- '**/*.cpp'
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- '**/*.c' - '**/*.c'
- '**/*.cpp' - '**/*.cpp'
...@@ -152,15 +115,8 @@ kubesec-sast: ...@@ -152,15 +115,8 @@ kubesec-sast:
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /kubesec/ - if: $SAST_EXCLUDED_ANALYZERS =~ /kubesec/
when: never when: never
- if: $CI_COMMIT_BRANCH &&
$SCAN_KUBERNETES_MANIFESTS == 'true' &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SCAN_KUBERNETES_MANIFESTS == 'true' $SCAN_KUBERNETES_MANIFESTS == 'true'
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
gosec-sast: gosec-sast:
extends: .sast-analyzer extends: .sast-analyzer
...@@ -174,14 +130,7 @@ gosec-sast: ...@@ -174,14 +130,7 @@ gosec-sast:
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /gosec/ - if: $SAST_EXCLUDED_ANALYZERS =~ /gosec/
when: never when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.go'
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- '**/*.go' - '**/*.go'
...@@ -200,18 +149,8 @@ mobsf-android-sast: ...@@ -200,18 +149,8 @@ mobsf-android-sast:
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/ - if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/
when: never when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_EXPERIMENTAL_FEATURES == 'true' &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.apk'
- '**/AndroidManifest.xml'
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_EXPERIMENTAL_FEATURES == 'true' $SAST_EXPERIMENTAL_FEATURES == 'true'
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- '**/*.apk' - '**/*.apk'
- '**/AndroidManifest.xml' - '**/AndroidManifest.xml'
...@@ -223,18 +162,8 @@ mobsf-ios-sast: ...@@ -223,18 +162,8 @@ mobsf-ios-sast:
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/ - if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/
when: never when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_EXPERIMENTAL_FEATURES == 'true' &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.ipa'
- '**/*.xcodeproj/*'
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_EXPERIMENTAL_FEATURES == 'true' $SAST_EXPERIMENTAL_FEATURES == 'true'
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- '**/*.ipa' - '**/*.ipa'
- '**/*.xcodeproj/*' - '**/*.xcodeproj/*'
...@@ -251,14 +180,7 @@ nodejs-scan-sast: ...@@ -251,14 +180,7 @@ nodejs-scan-sast:
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/ - if: $SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/
when: never when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/package.json'
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- '**/package.json' - '**/package.json'
...@@ -274,14 +196,7 @@ phpcs-security-audit-sast: ...@@ -274,14 +196,7 @@ phpcs-security-audit-sast:
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /phpcs-security-audit/ - if: $SAST_EXCLUDED_ANALYZERS =~ /phpcs-security-audit/
when: never when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.php'
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- '**/*.php' - '**/*.php'
...@@ -297,14 +212,7 @@ pmd-apex-sast: ...@@ -297,14 +212,7 @@ pmd-apex-sast:
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /pmd-apex/ - if: $SAST_EXCLUDED_ANALYZERS =~ /pmd-apex/
when: never when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.cls'
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- '**/*.cls' - '**/*.cls'
...@@ -313,7 +221,6 @@ security-code-scan-sast: ...@@ -313,7 +221,6 @@ security-code-scan-sast:
image: image:
name: "$SAST_ANALYZER_IMAGE" name: "$SAST_ANALYZER_IMAGE"
variables: variables:
SAST_ANALYZER_IMAGE_TAG: '3'
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG" SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
rules: rules:
- if: $SAST_DISABLED - if: $SAST_DISABLED
...@@ -322,29 +229,15 @@ security-code-scan-sast: ...@@ -322,29 +229,15 @@ security-code-scan-sast:
when: never when: never
# This rule shim will be removed in %15.0, # This rule shim will be removed in %15.0,
# See https://gitlab.com/gitlab-org/gitlab/-/issues/350935 # See https://gitlab.com/gitlab-org/gitlab/-/issues/350935
- if: $CI_COMMIT_BRANCH && $CI_SERVER_VERSION_MAJOR == '14' && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SAST_ANALYZER_IMAGE_TAG: '2'
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.csproj'
- '**/*.vbproj'
- if: $CI_COMMIT_BRANCH && $CI_SERVER_VERSION_MAJOR == '14' - if: $CI_COMMIT_BRANCH && $CI_SERVER_VERSION_MAJOR == '14'
variables: variables:
SAST_ANALYZER_IMAGE_TAG: '2' SAST_ANALYZER_IMAGE_TAG: '2'
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '**/*.csproj'
- '**/*.vbproj'
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists: exists:
- '**/*.csproj' - '**/*.csproj'
- '**/*.vbproj' - '**/*.vbproj'
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
variables: variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX" SAST_ANALYZER_IMAGE_TAG: '3'
exists: exists:
- '**/*.csproj' - '**/*.csproj'
- '**/*.vbproj' - '**/*.vbproj'
...@@ -361,20 +254,7 @@ semgrep-sast: ...@@ -361,20 +254,7 @@ semgrep-sast:
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/ - if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/
when: never when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.py'
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
- '**/*.c'
- '**/*.go'
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- '**/*.py' - '**/*.py'
- '**/*.js' - '**/*.js'
...@@ -396,14 +276,7 @@ sobelow-sast: ...@@ -396,14 +276,7 @@ sobelow-sast:
when: never when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /sobelow/ - if: $SAST_EXCLUDED_ANALYZERS =~ /sobelow/
when: never when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- 'mix.exs'
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- 'mix.exs' - 'mix.exs'
...@@ -423,17 +296,7 @@ spotbugs-sast: ...@@ -423,17 +296,7 @@ spotbugs-sast:
when: never when: never
- if: $SAST_DISABLED - if: $SAST_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.groovy'
- '**/*.java'
- '**/*.scala'
- '**/*.kt'
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- '**/*.groovy' - '**/*.groovy'
- '**/*.java' - '**/*.java'
......
...@@ -5,19 +5,13 @@ ...@@ -5,19 +5,13 @@
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables # How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
variables: variables:
# Setting this variable will affect all Security templates SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
# These placeholders will be removed in %15.0 with deprecation of previous registry path
DEFAULT_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
DEPRECATED_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECRETS_ANALYZER_VERSION: "3" SECRETS_ANALYZER_VERSION: "3"
SECRET_DETECTION_EXCLUDED_PATHS: "" SECRET_DETECTION_EXCLUDED_PATHS: ""
.secret-analyzer: .secret-analyzer:
stage: test stage: test
image: "$SECURE_ANALYZERS_PREFIX/secret-detection:$SECRETS_ANALYZER_VERSION" image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION"
services: [] services: []
allow_failure: true allow_failure: true
variables: variables:
...@@ -33,12 +27,7 @@ secret_detection: ...@@ -33,12 +27,7 @@ secret_detection:
rules: rules:
- if: $SECRET_DETECTION_DISABLED - if: $SECRET_DETECTION_DISABLED
when: never when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX"
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
script: script:
- if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
- if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi - if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi
......
...@@ -10,8 +10,8 @@ ...@@ -10,8 +10,8 @@
variables: variables:
FUZZAPI_VERSION: "1" FUZZAPI_VERSION: "1"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
FUZZAPI_IMAGE: "$SECURE_ANALYZERS_PREFIX/api-security:$FUZZAPI_VERSION" FUZZAPI_IMAGE: ${SECURE_ANALYZERS_PREFIX}/api-fuzzing:${FUZZAPI_VERSION}
apifuzzer_fuzz: apifuzzer_fuzz:
stage: fuzz stage: fuzz
......
...@@ -10,8 +10,8 @@ ...@@ -10,8 +10,8 @@
variables: variables:
FUZZAPI_VERSION: "1" FUZZAPI_VERSION: "1"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
FUZZAPI_IMAGE: "api-security" FUZZAPI_IMAGE: api-fuzzing
apifuzzer_fuzz: apifuzzer_fuzz:
stage: fuzz stage: fuzz
......
...@@ -24,14 +24,14 @@ ...@@ -24,14 +24,14 @@
variables: variables:
# Setting this variable affects all Security templates # Setting this variable affects all Security templates
# (SAST, Dependency Scanning, ...) # (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
# #
DAST_API_VERSION: "1" DAST_API_VERSION: "1"
DAST_API_IMAGE: "api-security" DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION
dast_api: dast_api:
stage: dast stage: dast
image: $SECURE_ANALYZERS_PREFIX/$DAST_API_IMAGE:$DAST_API_VERSION image: $DAST_API_IMAGE
allow_failure: true allow_failure: true
rules: rules:
- if: $DAST_API_DISABLED - if: $DAST_API_DISABLED
......
...@@ -24,10 +24,10 @@ ...@@ -24,10 +24,10 @@
variables: variables:
# Setting this variable affects all Security templates # Setting this variable affects all Security templates
# (SAST, Dependency Scanning, ...) # (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
# #
DAST_API_VERSION: "1" DAST_API_VERSION: "1"
DAST_API_IMAGE: api-security DAST_API_IMAGE: api-fuzzing
dast_api: dast_api:
stage: dast stage: dast
......
...@@ -5,9 +5,9 @@ stages: ...@@ -5,9 +5,9 @@ stages:
- dast - dast
variables: variables:
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
DAST_API_VERSION: "1" DAST_API_VERSION: "1"
DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-security:$DAST_API_VERSION DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION
dast: dast:
stage: dast stage: dast
......
...@@ -11,7 +11,9 @@ stages: ...@@ -11,7 +11,9 @@ stages:
variables: variables:
DAST_VERSION: 2 DAST_VERSION: 2
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" # Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
dast: dast:
stage: dast stage: dast
......
...@@ -25,7 +25,7 @@ variables: ...@@ -25,7 +25,7 @@ variables:
DAST_VERSION: 2 DAST_VERSION: 2
# Setting this variable will affect all Security templates # Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...) # (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
dast: dast:
stage: dast stage: dast
......
...@@ -25,7 +25,7 @@ variables: ...@@ -25,7 +25,7 @@ variables:
DAST_VERSION: 2 DAST_VERSION: 2
# Setting this variable will affect all Security templates # Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...) # (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
dast: dast:
stage: dast stage: dast
......
...@@ -11,11 +11,7 @@ ...@@ -11,11 +11,7 @@
variables: variables:
# Setting this variable will affect all Security templates # Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...) # (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
# These placeholders will be removed in %15.0 with deprecation of previous registry path, see https://gitlab.com/groups/gitlab-org/-/epics/6162
DEFAULT_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
DEPRECATED_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python" DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
DS_EXCLUDED_ANALYZERS: "" DS_EXCLUDED_ANALYZERS: ""
DS_EXCLUDED_PATHS: "spec, test, tests, tmp" DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
...@@ -55,27 +51,9 @@ gemnasium-dependency_scanning: ...@@ -55,27 +51,9 @@ gemnasium-dependency_scanning:
when: never when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/ - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/
when: never when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/ &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
exists:
- '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
- '{composer.lock,*/composer.lock,*/*/composer.lock}'
- '{gems.locked,*/gems.locked,*/*/gems.locked}'
- '{go.sum,*/go.sum,*/*/go.sum}'
- '{npm-shrinkwrap.json,*/npm-shrinkwrap.json,*/*/npm-shrinkwrap.json}'
- '{package-lock.json,*/package-lock.json,*/*/package-lock.json}'
- '{yarn.lock,*/yarn.lock,*/*/yarn.lock}'
- '{packages.lock.json,*/packages.lock.json,*/*/packages.lock.json}'
- '{conan.lock,*/conan.lock,*/*/conan.lock}'
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ && $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/ $DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}' - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
- '{composer.lock,*/composer.lock,*/*/composer.lock}' - '{composer.lock,*/composer.lock,*/*/composer.lock}'
...@@ -104,22 +82,9 @@ gemnasium-maven-dependency_scanning: ...@@ -104,22 +82,9 @@ gemnasium-maven-dependency_scanning:
when: never when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-maven/ - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-maven/
when: never when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/ &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
exists:
- '{build.gradle,*/build.gradle,*/*/build.gradle}'
- '{build.gradle.kts,*/build.gradle.kts,*/*/build.gradle.kts}'
- '{build.sbt,*/build.sbt,*/*/build.sbt}'
- '{pom.xml,*/pom.xml,*/*/pom.xml}'
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ && $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/ $DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- '{build.gradle,*/build.gradle,*/*/build.gradle}' - '{build.gradle,*/build.gradle,*/*/build.gradle}'
- '{build.gradle.kts,*/build.gradle.kts,*/*/build.gradle.kts}' - '{build.gradle.kts,*/build.gradle.kts,*/*/build.gradle.kts}'
...@@ -143,23 +108,9 @@ gemnasium-python-dependency_scanning: ...@@ -143,23 +108,9 @@ gemnasium-python-dependency_scanning:
when: never when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/ - if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/
when: never when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
exists:
- '{requirements.txt,*/requirements.txt,*/*/requirements.txt}'
- '{requirements.pip,*/requirements.pip,*/*/requirements.pip}'
- '{Pipfile,*/Pipfile,*/*/Pipfile}'
- '{requires.txt,*/requires.txt,*/*/requires.txt}'
- '{setup.py,*/setup.py,*/*/setup.py}'
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ && $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- '{requirements.txt,*/requirements.txt,*/*/requirements.txt}' - '{requirements.txt,*/requirements.txt,*/*/requirements.txt}'
- '{requirements.pip,*/requirements.pip,*/*/requirements.pip}' - '{requirements.pip,*/requirements.pip,*/*/requirements.pip}'
...@@ -168,19 +119,10 @@ gemnasium-python-dependency_scanning: ...@@ -168,19 +119,10 @@ gemnasium-python-dependency_scanning:
- '{setup.py,*/setup.py,*/*/setup.py}' - '{setup.py,*/setup.py,*/*/setup.py}'
# Support passing of $PIP_REQUIREMENTS_FILE # Support passing of $PIP_REQUIREMENTS_FILE
# See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning # See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
$PIP_REQUIREMENTS_FILE &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ && $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ && $DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
$PIP_REQUIREMENTS_FILE $PIP_REQUIREMENTS_FILE
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
bundler-audit-dependency_scanning: bundler-audit-dependency_scanning:
extends: .ds-analyzer extends: .ds-analyzer
...@@ -196,19 +138,9 @@ bundler-audit-dependency_scanning: ...@@ -196,19 +138,9 @@ bundler-audit-dependency_scanning:
when: never when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/ - if: $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/
when: never when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /bundler-audit/ &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
exists:
- '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ && $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /bundler-audit/ $DS_DEFAULT_ANALYZERS =~ /bundler-audit/
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists: exists:
- '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}' - '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
...@@ -226,18 +158,8 @@ retire-js-dependency_scanning: ...@@ -226,18 +158,8 @@ retire-js-dependency_scanning:
when: never when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /retire.js/ - if: $DS_EXCLUDED_ANALYZERS =~ /retire.js/
when: never when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /retire.js/ &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
exists:
- '{package.json,*/package.json,*/*/package.json}'
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ && $GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /retire.js/ $DS_DEFAULT_ANALYZERS =~ /retire.js/
exists: exists:
- '{package.json,*/package.json,*/*/package.json}' - '{package.json,*/package.json,*/*/package.json}'
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
variables: variables:
# Setting this variable will affect all Security templates # Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...) # (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
LICENSE_MANAGEMENT_SETUP_CMD: '' # If needed, specify a command to setup your environment with a custom package manager. LICENSE_MANAGEMENT_SETUP_CMD: '' # If needed, specify a command to setup your environment with a custom package manager.
LICENSE_MANAGEMENT_VERSION: 3 LICENSE_MANAGEMENT_VERSION: 3
...@@ -19,7 +19,7 @@ variables: ...@@ -19,7 +19,7 @@ variables:
license_scanning: license_scanning:
stage: test stage: test
image: image:
name: "$SECURE_ANALYZERS_PREFIX/license-compliance/license-finder:$LICENSE_MANAGEMENT_VERSION" name: "$SECURE_ANALYZERS_PREFIX/license-finder:$LICENSE_MANAGEMENT_VERSION"
entrypoint: [""] entrypoint: [""]
variables: variables:
LM_REPORT_VERSION: '2.1' LM_REPORT_VERSION: '2.1'
......
...@@ -14,14 +14,11 @@ ...@@ -14,14 +14,11 @@
# Docs: https://docs.gitlab.com/ee/topics/airgap/ # Docs: https://docs.gitlab.com/ee/topics/airgap/
variables: variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
SECURE_BINARIES_ANALYZERS: >- SECURE_BINARIES_ANALYZERS: >-
bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kics, kubesec, semgrep, bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kubesec, semgrep,
bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python, bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python,
license-finder, license-finder,
dast, dast-runner-validation, api-security dast, dast-runner-validation, api-fuzzing
SECURE_BINARIES_DOWNLOAD_IMAGES: "true" SECURE_BINARIES_DOWNLOAD_IMAGES: "true"
SECURE_BINARIES_PUSH_IMAGES: "true" SECURE_BINARIES_PUSH_IMAGES: "true"
...@@ -43,7 +40,7 @@ variables: ...@@ -43,7 +40,7 @@ variables:
script: script:
- docker info - docker info
- env - env
- if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi - if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"registry.gitlab.com/gitlab-org/security-products/analyzers/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi
- docker pull --quiet ${SECURE_BINARIES_IMAGE} - docker pull --quiet ${SECURE_BINARIES_IMAGE}
- mkdir -p output/$(dirname ${CI_JOB_NAME}) - mkdir -p output/$(dirname ${CI_JOB_NAME})
- | - |
...@@ -66,27 +63,22 @@ variables: ...@@ -66,27 +63,22 @@ variables:
# SAST jobs # SAST jobs
# #
.download_sast_images:
extends: .download_images
variables:
SECURE_BINARIES_IMAGE: "${SECURE_ANALYZERS_PREFIX}/sast/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
bandit: bandit:
extends: .download_sast_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bbandit\b/ $SECURE_BINARIES_ANALYZERS =~ /\bbandit\b/
brakeman: brakeman:
extends: .download_sast_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bbrakeman\b/ $SECURE_BINARIES_ANALYZERS =~ /\bbrakeman\b/
gosec: gosec:
extends: .download_sast_images extends: .download_images
variables: variables:
SECURE_BINARIES_ANALYZER_VERSION: "3" SECURE_BINARIES_ANALYZER_VERSION: "3"
only: only:
...@@ -95,28 +87,28 @@ gosec: ...@@ -95,28 +87,28 @@ gosec:
$SECURE_BINARIES_ANALYZERS =~ /\bgosec\b/ $SECURE_BINARIES_ANALYZERS =~ /\bgosec\b/
spotbugs: spotbugs:
extends: .download_sast_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bspotbugs\b/ $SECURE_BINARIES_ANALYZERS =~ /\bspotbugs\b/
flawfinder: flawfinder:
extends: .download_sast_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bflawfinder\b/ $SECURE_BINARIES_ANALYZERS =~ /\bflawfinder\b/
phpcs-security-audit: phpcs-security-audit:
extends: .download_sast_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bphpcs-security-audit\b/ $SECURE_BINARIES_ANALYZERS =~ /\bphpcs-security-audit\b/
security-code-scan: security-code-scan:
extends: .download_sast_images extends: .download_images
variables: variables:
SECURE_BINARIES_ANALYZER_VERSION: "3" SECURE_BINARIES_ANALYZER_VERSION: "3"
only: only:
...@@ -125,21 +117,21 @@ security-code-scan: ...@@ -125,21 +117,21 @@ security-code-scan:
$SECURE_BINARIES_ANALYZERS =~ /\bsecurity-code-scan\b/ $SECURE_BINARIES_ANALYZERS =~ /\bsecurity-code-scan\b/
nodejs-scan: nodejs-scan:
extends: .download_sast_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bnodejs-scan\b/ $SECURE_BINARIES_ANALYZERS =~ /\bnodejs-scan\b/
eslint: eslint:
extends: .download_sast_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\beslint\b/ $SECURE_BINARIES_ANALYZERS =~ /\beslint\b/
secrets: secrets:
extends: .download_sast_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
...@@ -148,28 +140,28 @@ secrets: ...@@ -148,28 +140,28 @@ secrets:
SECURE_BINARIES_ANALYZER_VERSION: "3" SECURE_BINARIES_ANALYZER_VERSION: "3"
semgrep: semgrep:
extends: .download_sast_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bsemgrep\b/ $SECURE_BINARIES_ANALYZERS =~ /\bsemgrep\b/
sobelow: sobelow:
extends: .download_sast_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bsobelow\b/ $SECURE_BINARIES_ANALYZERS =~ /\bsobelow\b/
pmd-apex: pmd-apex:
extends: .download_sast_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bsecrets\b/ $SECURE_BINARIES_ANALYZERS =~ /\bsecrets\b/
kubesec: kubesec:
extends: .download_sast_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
...@@ -179,41 +171,36 @@ kubesec: ...@@ -179,41 +171,36 @@ kubesec:
# Dependency Scanning jobs # Dependency Scanning jobs
# #
.download_ds_images:
extends: .download_images
variables:
SECURE_BINARIES_IMAGE: "${SECURE_ANALYZERS_PREFIX}/dependency-scanning/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
bundler-audit: bundler-audit:
extends: .download_ds_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bbundler-audit\b/ $SECURE_BINARIES_ANALYZERS =~ /\bbundler-audit\b/
retire.js: retire.js:
extends: .download_ds_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bretire\.js\b/ $SECURE_BINARIES_ANALYZERS =~ /\bretire\.js\b/
gemnasium: gemnasium:
extends: .download_ds_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bgemnasium\b/ $SECURE_BINARIES_ANALYZERS =~ /\bgemnasium\b/
gemnasium-maven: gemnasium-maven:
extends: .download_ds_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bgemnasium-maven\b/ $SECURE_BINARIES_ANALYZERS =~ /\bgemnasium-maven\b/
gemnasium-python: gemnasium-python:
extends: .download_ds_images extends: .download_images
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
...@@ -226,7 +213,6 @@ gemnasium-python: ...@@ -226,7 +213,6 @@ gemnasium-python:
license-finder: license-finder:
extends: .download_images extends: .download_images
variables: variables:
SECURE_BINARIES_IMAGE: "${SECURE_ANALYZERS_PREFIX}/license-compliance/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
SECURE_BINARIES_ANALYZER_VERSION: "3" SECURE_BINARIES_ANALYZER_VERSION: "3"
only: only:
variables: variables:
...@@ -237,13 +223,8 @@ license-finder: ...@@ -237,13 +223,8 @@ license-finder:
# DAST # DAST
# #
.download_dast_images:
extends: .download_images
variables:
SECURE_BINARIES_IMAGE: "${SECURE_ANALYZERS_PREFIX}/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
dast: dast:
extends: .download_dast_images extends: .download_images
variables: variables:
SECURE_BINARIES_ANALYZER_VERSION: "2" SECURE_BINARIES_ANALYZER_VERSION: "2"
only: only:
...@@ -252,19 +233,20 @@ dast: ...@@ -252,19 +233,20 @@ dast:
$SECURE_BINARIES_ANALYZERS =~ /\bdast\b/ $SECURE_BINARIES_ANALYZERS =~ /\bdast\b/
dast-runner-validation: dast-runner-validation:
extends: .download_dast_images extends: .download_images
variables: variables:
SECURE_BINARIES_ANALYZER_VERSION: "1" SECURE_BINARIES_ANALYZER_VERSION: "1"
SECURE_BINARIES_IMAGE: "registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bdast-runner-validation\b/ $SECURE_BINARIES_ANALYZERS =~ /\bdast-runner-validation\b/
api-security: api-fuzzing:
extends: .download_dast_images extends: .download_images
variables: variables:
SECURE_BINARIES_ANALYZER_VERSION: "1" SECURE_BINARIES_ANALYZER_VERSION: "1"
only: only:
variables: variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bapi-security\b/ $SECURE_BINARIES_ANALYZERS =~ /\bapi-fuzzing\b/
...@@ -6,7 +6,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do ...@@ -6,7 +6,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
let(:default_sast_values) do let(:default_sast_values) do
{ 'global' => { 'global' =>
[ [
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'registry.gitlab.com/security-products' } { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers' }
], ],
'pipeline' => 'pipeline' =>
[ [
...@@ -19,7 +19,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do ...@@ -19,7 +19,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
let(:params) do let(:params) do
{ 'global' => { 'global' =>
[ [
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'new_registry' } { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'new_registry' }
], ],
'pipeline' => 'pipeline' =>
[ [
...@@ -164,7 +164,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do ...@@ -164,7 +164,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
let(:params) do let(:params) do
{ 'global' => { 'global' =>
[ [
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'registry.gitlab.com/security-products' } { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers' }
], ],
'pipeline' => 'pipeline' =>
[ [
...@@ -219,21 +219,21 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do ...@@ -219,21 +219,21 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
def existing_gitlab_ci_and_template_array_without_sast def existing_gitlab_ci_and_template_array_without_sast
{ "stages" => %w(test security), { "stages" => %w(test security),
"variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000" }, "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
"sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" }, "sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" },
"include" => [{ "template" => "existing.yml" }] } "include" => [{ "template" => "existing.yml" }] }
end end
def existing_gitlab_ci_and_single_template_with_sast_and_default_stage def existing_gitlab_ci_and_single_template_with_sast_and_default_stage
{ "stages" => %w(test), { "stages" => %w(test),
"variables" => { "SECURE_ANALYZERS_PREFIX" => "localhost:5000" }, "variables" => { "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
"sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "test" }, "sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "test" },
"include" => { "template" => "Security/SAST.gitlab-ci.yml" } } "include" => { "template" => "Security/SAST.gitlab-ci.yml" } }
end end
def existing_gitlab_ci_and_single_template_without_sast def existing_gitlab_ci_and_single_template_without_sast
{ "stages" => %w(test security), { "stages" => %w(test security),
"variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000" }, "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
"sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" }, "sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" },
"include" => { "template" => "existing.yml" } } "include" => { "template" => "existing.yml" } }
end end
...@@ -246,13 +246,13 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do ...@@ -246,13 +246,13 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
def existing_gitlab_ci_with_no_sast_section def existing_gitlab_ci_with_no_sast_section
{ "stages" => %w(test security), { "stages" => %w(test security),
"variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000" }, "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
"include" => [{ "template" => "Security/SAST.gitlab-ci.yml" }] } "include" => [{ "template" => "Security/SAST.gitlab-ci.yml" }] }
end end
def existing_gitlab_ci_with_no_sast_variables def existing_gitlab_ci_with_no_sast_variables
{ "stages" => %w(test security), { "stages" => %w(test security),
"variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000" }, "variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
"sast" => { "stage" => "security" }, "sast" => { "stage" => "security" },
"include" => [{ "template" => "Security/SAST.gitlab-ci.yml" }] } "include" => [{ "template" => "Security/SAST.gitlab-ci.yml" }] }
end end
...@@ -275,7 +275,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do ...@@ -275,7 +275,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
let(:params) do let(:params) do
{ 'global' => { 'global' =>
[ [
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => '' } { 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => '' }
] } ] }
end end
......
...@@ -15,7 +15,7 @@ RSpec.describe Ci::CreatePipelineService do ...@@ -15,7 +15,7 @@ RSpec.describe Ci::CreatePipelineService do
variables: variables:
DAST_VERSION: 1 DAST_VERSION: 1
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products" SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
dast: dast:
stage: dast stage: dast
......
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
module Ci module Ci
module TemplateHelpers module TemplateHelpers
def secure_analyzers_prefix def secure_analyzers_prefix
'registry.gitlab.com/security-products' 'registry.gitlab.com/gitlab-org/security-products/analyzers'
end end
end end
end end
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.shared_examples 'setting sec analyzer prefix dynamically' do |builds: [], files: { 'README.md' => '' }, variables: {}, namespace: ''|
using RSpec::Parameterized::TableSyntax
let(:default_analyzer_prefix) { 'registry.gitlab.com/security-products' }
where(:builds, :files, :analyzer_prefix, :expected_prefix) do
builds | files | nil | "$DEFAULT_SECURE_ANALYZERS_PREFIX#{namespace.present? ? "/#{namespace}" : nil}"
builds | files | 'registry.example.com' | 'registry.example.com'
end
with_them do
before do
if analyzer_prefix
if analyzer_prefix != default_analyzer_prefix
create(:ci_variable, project: project, key: 'SECURE_ANALYZERS_PREFIX', value: analyzer_prefix)
end
end
variables.each do |(key, value)|
create(:ci_variable, project: project, key: key, value: value)
end
end
it 'creates a build with the expected tag' do
expect(build_names).to include(*builds)
prefixes = pipeline.builds.map { |build| build.variables["SECURE_ANALYZERS_PREFIX"].value }
expect(prefixes.uniq).to match_array(expected_prefix)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment