Commit c20808b2 authored by Lucas Charles's avatar Lucas Charles Committed by Mayra Cabrera

feat: Update SECURE_ANALYZER_PREFIX in all Sec Section templates

BREAKING CHANGE: migrate form SECURE_ANALYZER_PREFIX to
SEC_REGISTRY_PREFIX to gracefully deprecate previous prefixing and point
to new container registries at top-level namespace

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/334325

Changelog: deprecated
parent 34c7d77b
......@@ -5,7 +5,7 @@
extends:
- .reports:rules:schedule-dast
image:
name: "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION"
name: "registry.gitlab.com/security-products/dast:$DAST_VERSION"
resource_group: dast_scan
variables:
DAST_USERNAME_FIELD: "user[login]"
......
......@@ -2,8 +2,8 @@
"$schema": "http://json-schema.org/draft-07/schema#",
"global": [
{
"field" : "SECURE_ANALYZERS_PREFIX",
"label" : "Image prefix",
"field": "SECURE_ANALYZERS_PREFIX",
"label": "Image prefix",
"type": "string",
"default_value": "",
"value": "",
......
......@@ -1163,11 +1163,11 @@ Steps:
The Docker image for API Fuzzing must be pulled (downloaded) from the public registry and then pushed (imported) into a local registry. The GitLab container registry can be used to locally host the Docker image. This process can be performed using a special template. See [loading Docker images onto your offline host](../offline_deployments/index.md#loading-docker-images-onto-your-offline-host) for instructions.
Once the Docker image is hosted locally, the `SECURE_ANALYZERS_PREFIX` variable is set with the location of the local registry. The variable must be set such that concatenating `/api-fuzzing:1` results in a valid image location.
Once the Docker image is hosted locally, the `SECURE_ANALYZERS_PREFIX` variable is set with the location of the local registry. The variable must be set such that concatenating `/api-security:1` results in a valid image location.
For example, the below line sets a registry for the image `registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:1`:
For example, the below line sets a registry for the image `registry.gitlab.com/security-products/api-security:1`:
`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"`
`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"`
NOTE:
Setting `SECURE_ANALYZERS_PREFIX` changes the Docker image registry location for all GitLab Secure templates.
......
......@@ -1125,9 +1125,9 @@ Once the Docker image is hosted locally, the `SECURE_ANALYZERS_PREFIX` variable
NOTE:
DAST API and API Fuzzing both use the same underlying Docker image `api-fuzzing:1`.
For example, the below line sets a registry for the image `registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:1`:
For example, the below line sets a registry for the image `registry.gitlab.com/security-products/api-fuzzing:1`:
`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"`
`SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"`
NOTE:
Setting `SECURE_ANALYZERS_PREFIX` changes the Docker image registry location for all GitLab Secure templates.
......
......@@ -45,7 +45,7 @@ Any custom change to the official analyzers can be achieved by using a
You can switch to a custom Docker registry that provides the official analyzer
images under a different prefix. For instance, the following instructs Dependency
Scanning to pull `my-docker-registry/gl-images/gemnasium`
instead of `registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium`.
instead of `registry.gitlab.com/security-products/dependency-scanning/gemnasium`.
In `.gitlab-ci.yml` define:
```yaml
......
......@@ -779,11 +779,11 @@ import the following default dependency scanning analyzer images from `registry.
your [local Docker container registry](../../packages/container_registry/index.md):
```plaintext
registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium:2
registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven:2
registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python:2
registry.gitlab.com/gitlab-org/security-products/analyzers/retire.js:2
registry.gitlab.com/gitlab-org/security-products/analyzers/bundler-audit:2
registry.gitlab.com/security-products/dependency-scanning/gemnasium:2
registry.gitlab.com/security-products/dependency-scanning/gemnasium-maven:2
registry.gitlab.com/security-products/dependency-scanning/gemnasium-python:2
registry.gitlab.com/security-products/dependency-scanning/retire.js:2
registry.gitlab.com/security-products/dependency-scanning/bundler-audit:2
```
The process for importing Docker images into a local offline Docker registry depends on
......@@ -1082,4 +1082,4 @@ analyzers, edit your `gitlab-ci.yml` file and either:
For example, currently the `gemnasium-maven-dependency_scanning` job pulls the latest
`gemnasium-maven` Docker image because `DS_ANALYZER_IMAGE` is set to
`"$SECURE_ANALYZERS_PREFIX/gemnasium-maven:$DS_MAJOR_VERSION"`.
`"$SECURE_ANALYZERS_PREFIX/dependency-scanning/gemnasium-maven:$DS_MAJOR_VERSION"`.
......@@ -92,11 +92,9 @@ For more details about each of the security scanning tools, see their respective
### Override the default registry base address
By default, GitLab security scanners use `registry.gitlab.com/gitlab-org/security-products/analyzers` as the
By default, GitLab security scanners use `registry.gitlab.com/security-products` as the
base address for Docker images. You can override this globally by setting the CI/CD variable
`SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once, except
the container-scanning analyzer which uses
`registry.gitlab.com/security-products/container-scanning` as its registry.
`SECURE_ANALYZERS_PREFIX` to another location. Note that this affects all scanners at once.
### Use security scanning tools with merge request pipelines
......
......@@ -179,7 +179,7 @@ set -ux
# Specify needed analyzer images
analyzers=${SAST_ANALYZERS:-"bandit eslint gosec"}
gitlab=registry.gitlab.com/gitlab-org/security-products/analyzers/
gitlab=registry.gitlab.com/security-products/sast/
for i in "${analyzers[@]}"
do
......
......@@ -669,7 +669,7 @@ import the following default License Compliance analyzer images from `registry.g
offline [local Docker container registry](../../packages/container_registry/index.md):
```plaintext
registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:latest
registry.gitlab.com/security-products/license-compliance/license-finder:latest
```
The process for importing Docker images into a local offline Docker registry depends on
......@@ -872,7 +872,7 @@ A full list of variables can be found in [CI/CD variables](#available-cicd-varia
To find out what tools are pre-installed in the `license_scanning` Docker image use the following command:
```shell
$ docker run --entrypoint='' registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3 /bin/bash -lc 'asdf list'
$ docker run --entrypoint='' registry.gitlab.com/security-products/license-compliance/license-finder:3 /bin/bash -lc 'asdf list'
golang
1.14
gradle
......@@ -899,7 +899,7 @@ sbt
To interact with the `license_scanning` runtime environment use the following command:
```shell
$ docker run -it --entrypoint='' registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3 /bin/bash -l
$ docker run -it --entrypoint='' registry.gitlab.com/security-products/license-compliance/license-finder:3 /bin/bash -l
root@6abb70e9f193:~#
```
......
......@@ -139,9 +139,19 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
let(:expected_configuration) do
{
'secret-detection-0': hash_including(
rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
rules: [
{ if: '$SECRET_DETECTION_DISABLED', when: 'never' },
{
if: '$CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX',
variables: { SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX" }
},
{
if: "$CI_COMMIT_BRANCH",
variables: { SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX" }
}
],
stage: 'test',
image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION',
image: '$SECURE_ANALYZERS_PREFIX/secret-detection:$SECRETS_ANALYZER_VERSION',
services: [],
allow_failure: true,
artifacts: {
......@@ -151,7 +161,9 @@ RSpec.describe Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processor do
},
variables: {
GIT_DEPTH: '50',
SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
DEFAULT_SECURE_ANALYZERS_PREFIX: secure_analyzers_prefix,
DEPRECATED_SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
SECRETS_ANALYZER_VERSION: '3',
SECRET_DETECTION_EXCLUDED_PATHS: '',
SECRET_DETECTION_HISTORIC_SCAN: 'false'
......
......@@ -10,8 +10,8 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
describe 'the template file' do
let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
let(:contents) { File.read(template_filename) }
let(:production_registry) { '${SECURE_ANALYZERS_PREFIX}/api-fuzzing:${FUZZAPI_VERSION}' }
let(:staging_registry) { '${SECURE_ANALYZERS_PREFIX}/api-fuzzing-src:${FUZZAPI_VERSION}' }
let(:production_registry) { '$SECURE_ANALYZERS_PREFIX/api-security:$FUZZAPI_VERSION' }
let(:staging_registry) { '$SECURE_ANALYZERS_PREFIX/api-security-src:$FUZZAPI_VERSION' }
# Make sure future changes to the template use the production container registry.
#
......
......@@ -10,8 +10,8 @@ RSpec.describe 'API-Fuzzing.latest.gitlab-ci.yml' do
describe 'the template file' do
let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
let(:contents) { File.read(template_filename) }
let(:production_registry) { 'FUZZAPI_IMAGE: api-fuzzing' }
let(:staging_registry) { 'FUZZAPI_IMAGE: api-fuzzing-src' }
let(:production_registry) { 'FUZZAPI_IMAGE: "api-security"' }
let(:staging_registry) { 'FUZZAPI_IMAGE: api-security-src' }
# Make sure future changes to the template use the production container registry.
#
......
......@@ -10,8 +10,8 @@ RSpec.describe 'DAST-API.gitlab-ci.yml' do
describe 'the template file' do
let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
let(:contents) { File.read(template_filename) }
let(:production_registry) { '$SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION' }
let(:staging_registry) { '$SECURE_ANALYZERS_PREFIX/api-fuzzing-src:$DAST_API_VERSION' }
let(:production_registry) { 'DAST_API_IMAGE: "api-security"' }
let(:staging_registry) { 'DAST_API_IMAGE: "api-security-src"' }
# Make sure future changes to the template use the production container registry.
#
......
......@@ -10,8 +10,8 @@ RSpec.describe 'DAST-API.latest.gitlab-ci.yml' do
describe 'the template file' do
let(:template_filename) { Rails.root.join("lib/gitlab/ci/templates/" + template.full_name) }
let(:contents) { File.read(template_filename) }
let(:production_registry) { 'DAST_API_IMAGE: api-fuzzing' }
let(:staging_registry) { 'DAST_API_IMAGE: api-fuzzing-src' }
let(:production_registry) { 'DAST_API_IMAGE: api-security' }
let(:staging_registry) { 'DAST_API_IMAGE: api-security-src' }
# Make sure future changes to the template use the production container registry.
#
......
......@@ -114,10 +114,9 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do
with_them do
let(:project) { create(:project, :custom_repo, files: files_at_depth_x) }
context 'with file at root' do
let(:files_at_depth_x) { files }
context 'with file at root' do
it 'creates a pipeline with the expected jobs' do
expect(build_names).to include(*include_build_names)
end
......@@ -148,6 +147,8 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do
expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
end
end
it_behaves_like 'setting sec analyzer prefix dynamically', builds: params[:include_build_names], files: params[:files], namespace: 'dependency-scanning'
end
end
......
......@@ -98,6 +98,8 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
it 'creates a pipeline with the expected jobs' do
expect(build_names).to include(*include_build_names)
end
include_examples 'setting sec analyzer prefix dynamically', builds: params[:include_build_names], files: params[:files], namespace: 'sast'
end
end
end
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe 'SAST-IaC.latest.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('SAST-IaC.latest') }
describe 'the created pipeline' do
let(:default_branch) { 'master' }
let(:files) { { 'README.md' => '' } }
let(:project) { create(:project, :custom_repo, files: files) }
let(:user) { project.first_owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master') }
let(:pipeline) { service.execute!(:push).payload }
let(:build_names) { pipeline.builds.pluck(:name) }
before do
stub_ci_pipeline_yaml_file(template.content)
allow_next_instance_of(Ci::BuildScheduleWorker) do |worker|
allow(worker).to receive(:perform).and_return(true)
end
allow(project).to receive(:default_branch).and_return(default_branch)
end
context 'when project has no license' do
context 'when SAST_DISABLED=1' do
before do
create(:ci_variable, project: project, key: 'SAST_DISABLED', value: '1')
end
it 'includes no jobs' do
expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
end
end
end
context 'by default' do
it 'creates a pipeline with the expected jobs' do
expect(build_names).to match_array(%w(kics-iac-sast))
end
end
describe 'setting SECURE_ANALYZER_PREFIX' do
it_behaves_like 'setting sec analyzer prefix dynamically', builds: %w(kics-iac-sast), namespace: 'sast'
end
end
end
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe 'Secret-Detection.gitlab-ci.yml' do
subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Secret-Detection') }
describe 'the created pipeline' do
let(:default_branch) { 'master' }
let(:files) { { 'README.md' => '' } }
let(:project) { create(:project, :custom_repo, files: files) }
let(:user) { project.first_owner }
let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master') }
let(:pipeline) { service.execute!(:push).payload }
let(:build_names) { pipeline.builds.pluck(:name) }
before do
stub_ci_pipeline_yaml_file(template.content)
allow_next_instance_of(Ci::BuildScheduleWorker) do |worker|
allow(worker).to receive(:perform).and_return(true)
end
allow(project).to receive(:default_branch).and_return(default_branch)
end
context 'when project has no license' do
context 'when SECRET_DETECTION_DISABLED=1' do
before do
create(:ci_variable, project: project, key: 'SECRET_DETECTION_DISABLED', value: '1')
end
it 'includes no jobs' do
expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
end
end
context 'by default' do
it 'creates a pipeline with the expected jobs' do
expect(build_names).to match_array(%w(secret_detection))
end
end
describe 'setting SECURE_ANALYZER_PREFIX' do
it_behaves_like 'setting sec analyzer prefix dynamically', builds: %w(secret_detection)
end
end
end
end
......@@ -52,7 +52,7 @@ RSpec.describe 'Secure-Binaries.gitlab-ci.yml' do
it_behaves_like 'an offline image download job' do
it 'sets SECURE_BINARIES_IMAGE explicitly' do
image = 'registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}'
image = '${SECURE_ANALYZERS_PREFIX}/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}'
expect(build.variables.to_hash).to include('SECURE_BINARIES_IMAGE' => image)
end
......
......@@ -28,9 +28,13 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
it 'returns prepared CI configuration with Secret Detection scans' do
expected_configuration = {
rules: [{ if: '$SECRET_DETECTION_DISABLED', when: 'never' }, { if: '$CI_COMMIT_BRANCH' }],
rules: [
{ if: '$SECRET_DETECTION_DISABLED', when: 'never' },
{ if: '$CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX', variables: { SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX" } },
{ if: '$CI_COMMIT_BRANCH', variables: { SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX" } }
],
stage: 'test',
image: '$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION',
image: '$SECURE_ANALYZERS_PREFIX/secret-detection:$SECRETS_ANALYZER_VERSION',
services: [],
allow_failure: true,
artifacts: {
......@@ -40,7 +44,9 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
},
variables: {
GIT_DEPTH: '50',
SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/security-products',
DEFAULT_SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/security-products',
DEPRECATED_SECURE_ANALYZERS_PREFIX: 'registry.gitlab.com/gitlab-org/security-products/analyzers',
SECRETS_ANALYZER_VERSION: '3',
SECRET_DETECTION_EXCLUDED_PATHS: '',
SECRET_DETECTION_HISTORIC_SCAN: 'false'
......
variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
# These placeholders will be removed in %15.0 with deprecation of previous registry path, see https://gitlab.com/groups/gitlab-org/-/epics/6162
DEFAULT_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
DEPRECATED_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
iac-sast:
......@@ -31,4 +35,9 @@ kics-iac-sast:
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /kics/
when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
- if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
......@@ -6,7 +6,10 @@
variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
# These placeholders will be removed in %15.0 with deprecation of previous registry path, see https://gitlab.com/groups/gitlab-org/-/epics/6162
DEFAULT_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
DEPRECATED_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SAST_EXCLUDED_ANALYZERS: ""
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
......@@ -45,7 +48,14 @@ bandit-sast:
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /bandit/
when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.py'
- if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '**/*.py'
......@@ -61,7 +71,15 @@ brakeman-sast:
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /brakeman/
when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.rb'
- '**/Gemfile'
- if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '**/*.rb'
- '**/Gemfile'
......@@ -78,7 +96,18 @@ eslint-sast:
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /eslint/
when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.html'
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
- if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '**/*.html'
- '**/*.js'
......@@ -98,7 +127,15 @@ flawfinder-sast:
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /flawfinder/
when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.c'
- '**/*.cpp'
- if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '**/*.c'
- '**/*.cpp'
......@@ -115,8 +152,15 @@ kubesec-sast:
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /kubesec/
when: never
- if: $CI_COMMIT_BRANCH &&
$SCAN_KUBERNETES_MANIFESTS == 'true' &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
- if: $CI_COMMIT_BRANCH &&
$SCAN_KUBERNETES_MANIFESTS == 'true'
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
gosec-sast:
extends: .sast-analyzer
......@@ -130,7 +174,14 @@ gosec-sast:
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /gosec/
when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.go'
- if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '**/*.go'
......@@ -149,8 +200,18 @@ mobsf-android-sast:
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_EXPERIMENTAL_FEATURES == 'true' &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.apk'
- '**/AndroidManifest.xml'
- if: $CI_COMMIT_BRANCH &&
$SAST_EXPERIMENTAL_FEATURES == 'true'
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '**/*.apk'
- '**/AndroidManifest.xml'
......@@ -162,8 +223,18 @@ mobsf-ios-sast:
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_EXPERIMENTAL_FEATURES == 'true' &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.ipa'
- '**/*.xcodeproj/*'
- if: $CI_COMMIT_BRANCH &&
$SAST_EXPERIMENTAL_FEATURES == 'true'
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '**/*.ipa'
- '**/*.xcodeproj/*'
......@@ -180,7 +251,14 @@ nodejs-scan-sast:
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/
when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/package.json'
- if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '**/package.json'
......@@ -196,7 +274,14 @@ phpcs-security-audit-sast:
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /phpcs-security-audit/
when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.php'
- if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '**/*.php'
......@@ -212,7 +297,14 @@ pmd-apex-sast:
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /pmd-apex/
when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.cls'
- if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '**/*.cls'
......@@ -221,6 +313,7 @@ security-code-scan-sast:
image:
name: "$SAST_ANALYZER_IMAGE"
variables:
SAST_ANALYZER_IMAGE_TAG: '3'
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
rules:
- if: $SAST_DISABLED
......@@ -229,15 +322,29 @@ security-code-scan-sast:
when: never
# This rule shim will be removed in %15.0,
# See https://gitlab.com/gitlab-org/gitlab/-/issues/350935
- if: $CI_COMMIT_BRANCH && $CI_SERVER_VERSION_MAJOR == '14' && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SAST_ANALYZER_IMAGE_TAG: '2'
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.csproj'
- '**/*.vbproj'
- if: $CI_COMMIT_BRANCH && $CI_SERVER_VERSION_MAJOR == '14'
variables:
SAST_ANALYZER_IMAGE_TAG: '2'
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '**/*.csproj'
- '**/*.vbproj'
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.csproj'
- '**/*.vbproj'
- if: $CI_COMMIT_BRANCH
variables:
SAST_ANALYZER_IMAGE_TAG: '3'
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '**/*.csproj'
- '**/*.vbproj'
......@@ -254,7 +361,20 @@ semgrep-sast:
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/
when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.py'
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
- '**/*.c'
- '**/*.go'
- if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '**/*.py'
- '**/*.js'
......@@ -276,7 +396,14 @@ sobelow-sast:
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /sobelow/
when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- 'mix.exs'
- if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- 'mix.exs'
......@@ -296,7 +423,17 @@ spotbugs-sast:
when: never
- if: $SAST_DISABLED
when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/sast"
exists:
- '**/*.groovy'
- '**/*.java'
- '**/*.scala'
- '**/*.kt'
- if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '**/*.groovy'
- '**/*.java'
......
......@@ -5,13 +5,19 @@
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
variables:
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
# These placeholders will be removed in %15.0 with deprecation of previous registry path
DEFAULT_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
DEPRECATED_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECRETS_ANALYZER_VERSION: "3"
SECRET_DETECTION_EXCLUDED_PATHS: ""
.secret-analyzer:
stage: test
image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION"
image: "$SECURE_ANALYZERS_PREFIX/secret-detection:$SECRETS_ANALYZER_VERSION"
services: []
allow_failure: true
variables:
......@@ -27,7 +33,12 @@ secret_detection:
rules:
- if: $SECRET_DETECTION_DISABLED
when: never
- if: $CI_COMMIT_BRANCH && $SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX"
- if: $CI_COMMIT_BRANCH
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
script:
- if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
- if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi
......
......@@ -10,8 +10,8 @@
variables:
FUZZAPI_VERSION: "1"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
FUZZAPI_IMAGE: ${SECURE_ANALYZERS_PREFIX}/api-fuzzing:${FUZZAPI_VERSION}
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
FUZZAPI_IMAGE: "$SECURE_ANALYZERS_PREFIX/api-security:$FUZZAPI_VERSION"
apifuzzer_fuzz:
stage: fuzz
......
......@@ -10,8 +10,8 @@
variables:
FUZZAPI_VERSION: "1"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
FUZZAPI_IMAGE: api-fuzzing
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
FUZZAPI_IMAGE: "api-security"
apifuzzer_fuzz:
stage: fuzz
......
......@@ -24,14 +24,14 @@
variables:
# Setting this variable affects all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
#
DAST_API_VERSION: "1"
DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION
DAST_API_IMAGE: "api-security"
dast_api:
stage: dast
image: $DAST_API_IMAGE
image: $SECURE_ANALYZERS_PREFIX/$DAST_API_IMAGE:$DAST_API_VERSION
allow_failure: true
rules:
- if: $DAST_API_DISABLED
......
......@@ -24,10 +24,10 @@
variables:
# Setting this variable affects all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
#
DAST_API_VERSION: "1"
DAST_API_IMAGE: api-fuzzing
DAST_API_IMAGE: api-security
dast_api:
stage: dast
......
......@@ -5,9 +5,9 @@ stages:
- dast
variables:
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
DAST_API_VERSION: "1"
DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION
DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-security:$DAST_API_VERSION
dast:
stage: dast
......
......@@ -11,9 +11,7 @@ stages:
variables:
DAST_VERSION: 2
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
dast:
stage: dast
......
......@@ -25,7 +25,7 @@ variables:
DAST_VERSION: 2
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
dast:
stage: dast
......
......@@ -25,7 +25,7 @@ variables:
DAST_VERSION: 2
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
dast:
stage: dast
......
......@@ -11,7 +11,11 @@
variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
# These placeholders will be removed in %15.0 with deprecation of previous registry path, see https://gitlab.com/groups/gitlab-org/-/epics/6162
DEFAULT_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
DEPRECATED_SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
DS_EXCLUDED_ANALYZERS: ""
DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
......@@ -51,9 +55,27 @@ gemnasium-dependency_scanning:
when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/ &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
exists:
- '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
- '{composer.lock,*/composer.lock,*/*/composer.lock}'
- '{gems.locked,*/gems.locked,*/*/gems.locked}'
- '{go.sum,*/go.sum,*/*/go.sum}'
- '{npm-shrinkwrap.json,*/npm-shrinkwrap.json,*/*/npm-shrinkwrap.json}'
- '{package-lock.json,*/package-lock.json,*/*/package-lock.json}'
- '{yarn.lock,*/yarn.lock,*/*/yarn.lock}'
- '{packages.lock.json,*/packages.lock.json,*/*/packages.lock.json}'
- '{conan.lock,*/conan.lock,*/*/conan.lock}'
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium([^-]|$)/
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
- '{composer.lock,*/composer.lock,*/*/composer.lock}'
......@@ -82,9 +104,22 @@ gemnasium-maven-dependency_scanning:
when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-maven/
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/ &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
exists:
- '{build.gradle,*/build.gradle,*/*/build.gradle}'
- '{build.gradle.kts,*/build.gradle.kts,*/*/build.gradle.kts}'
- '{build.sbt,*/build.sbt,*/*/build.sbt}'
- '{pom.xml,*/pom.xml,*/*/pom.xml}'
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-maven/
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '{build.gradle,*/build.gradle,*/*/build.gradle}'
- '{build.gradle.kts,*/build.gradle.kts,*/*/build.gradle.kts}'
......@@ -108,9 +143,23 @@ gemnasium-python-dependency_scanning:
when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
exists:
- '{requirements.txt,*/requirements.txt,*/*/requirements.txt}'
- '{requirements.pip,*/requirements.pip,*/*/requirements.pip}'
- '{Pipfile,*/Pipfile,*/*/Pipfile}'
- '{requires.txt,*/requires.txt,*/*/requires.txt}'
- '{setup.py,*/setup.py,*/*/setup.py}'
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '{requirements.txt,*/requirements.txt,*/*/requirements.txt}'
- '{requirements.pip,*/requirements.pip,*/*/requirements.pip}'
......@@ -119,10 +168,19 @@ gemnasium-python-dependency_scanning:
- '{setup.py,*/setup.py,*/*/setup.py}'
# Support passing of $PIP_REQUIREMENTS_FILE
# See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
$PIP_REQUIREMENTS_FILE &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
$PIP_REQUIREMENTS_FILE
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
bundler-audit-dependency_scanning:
extends: .ds-analyzer
......@@ -138,9 +196,19 @@ bundler-audit-dependency_scanning:
when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /bundler-audit/ &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
exists:
- '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /bundler-audit/
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
exists:
- '{Gemfile.lock,*/Gemfile.lock,*/*/Gemfile.lock}'
......@@ -158,8 +226,18 @@ retire-js-dependency_scanning:
when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /retire.js/
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /retire.js/ &&
$SECURE_ANALYZERS_PREFIX == $DEFAULT_SECURE_ANALYZERS_PREFIX
variables:
SECURE_ANALYZERS_PREFIX: "$DEFAULT_SECURE_ANALYZERS_PREFIX/dependency-scanning"
exists:
- '{package.json,*/package.json,*/*/package.json}'
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /retire.js/
exists:
- '{package.json,*/package.json,*/*/package.json}'
variables:
SECURE_ANALYZERS_PREFIX: "$DEPRECATED_SECURE_ANALYZERS_PREFIX"
......@@ -11,7 +11,7 @@
variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
LICENSE_MANAGEMENT_SETUP_CMD: '' # If needed, specify a command to setup your environment with a custom package manager.
LICENSE_MANAGEMENT_VERSION: 3
......@@ -19,7 +19,7 @@ variables:
license_scanning:
stage: test
image:
name: "$SECURE_ANALYZERS_PREFIX/license-finder:$LICENSE_MANAGEMENT_VERSION"
name: "$SECURE_ANALYZERS_PREFIX/license-compliance/license-finder:$LICENSE_MANAGEMENT_VERSION"
entrypoint: [""]
variables:
LM_REPORT_VERSION: '2.1'
......
......@@ -14,11 +14,14 @@
# Docs: https://docs.gitlab.com/ee/topics/airgap/
variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
SECURE_BINARIES_ANALYZERS: >-
bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kubesec, semgrep,
bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kics, kubesec, semgrep,
bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python,
license-finder,
dast, dast-runner-validation, api-fuzzing
dast, dast-runner-validation, api-security
SECURE_BINARIES_DOWNLOAD_IMAGES: "true"
SECURE_BINARIES_PUSH_IMAGES: "true"
......@@ -40,7 +43,7 @@ variables:
script:
- docker info
- env
- if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"registry.gitlab.com/gitlab-org/security-products/analyzers/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi
- if [ -z "$SECURE_BINARIES_IMAGE" ]; then export SECURE_BINARIES_IMAGE=${SECURE_BINARIES_IMAGE:-"registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"}; fi
- docker pull --quiet ${SECURE_BINARIES_IMAGE}
- mkdir -p output/$(dirname ${CI_JOB_NAME})
- |
......@@ -63,22 +66,27 @@ variables:
# SAST jobs
#
bandit:
.download_sast_images:
extends: .download_images
variables:
SECURE_BINARIES_IMAGE: "${SECURE_ANALYZERS_PREFIX}/sast/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
bandit:
extends: .download_sast_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bbandit\b/
brakeman:
extends: .download_images
extends: .download_sast_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bbrakeman\b/
gosec:
extends: .download_images
extends: .download_sast_images
variables:
SECURE_BINARIES_ANALYZER_VERSION: "3"
only:
......@@ -87,28 +95,28 @@ gosec:
$SECURE_BINARIES_ANALYZERS =~ /\bgosec\b/
spotbugs:
extends: .download_images
extends: .download_sast_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bspotbugs\b/
flawfinder:
extends: .download_images
extends: .download_sast_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bflawfinder\b/
phpcs-security-audit:
extends: .download_images
extends: .download_sast_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bphpcs-security-audit\b/
security-code-scan:
extends: .download_images
extends: .download_sast_images
variables:
SECURE_BINARIES_ANALYZER_VERSION: "3"
only:
......@@ -117,21 +125,21 @@ security-code-scan:
$SECURE_BINARIES_ANALYZERS =~ /\bsecurity-code-scan\b/
nodejs-scan:
extends: .download_images
extends: .download_sast_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bnodejs-scan\b/
eslint:
extends: .download_images
extends: .download_sast_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\beslint\b/
secrets:
extends: .download_images
extends: .download_sast_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
......@@ -140,28 +148,28 @@ secrets:
SECURE_BINARIES_ANALYZER_VERSION: "3"
semgrep:
extends: .download_images
extends: .download_sast_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bsemgrep\b/
sobelow:
extends: .download_images
extends: .download_sast_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bsobelow\b/
pmd-apex:
extends: .download_images
extends: .download_sast_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bsecrets\b/
kubesec:
extends: .download_images
extends: .download_sast_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
......@@ -171,36 +179,41 @@ kubesec:
# Dependency Scanning jobs
#
bundler-audit:
.download_ds_images:
extends: .download_images
variables:
SECURE_BINARIES_IMAGE: "${SECURE_ANALYZERS_PREFIX}/dependency-scanning/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
bundler-audit:
extends: .download_ds_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bbundler-audit\b/
retire.js:
extends: .download_images
extends: .download_ds_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bretire\.js\b/
gemnasium:
extends: .download_images
extends: .download_ds_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bgemnasium\b/
gemnasium-maven:
extends: .download_images
extends: .download_ds_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bgemnasium-maven\b/
gemnasium-python:
extends: .download_images
extends: .download_ds_images
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
......@@ -213,6 +226,7 @@ gemnasium-python:
license-finder:
extends: .download_images
variables:
SECURE_BINARIES_IMAGE: "${SECURE_ANALYZERS_PREFIX}/license-compliance/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
SECURE_BINARIES_ANALYZER_VERSION: "3"
only:
variables:
......@@ -223,8 +237,13 @@ license-finder:
# DAST
#
dast:
.download_dast_images:
extends: .download_images
variables:
SECURE_BINARIES_IMAGE: "${SECURE_ANALYZERS_PREFIX}/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
dast:
extends: .download_dast_images
variables:
SECURE_BINARIES_ANALYZER_VERSION: "2"
only:
......@@ -233,20 +252,19 @@ dast:
$SECURE_BINARIES_ANALYZERS =~ /\bdast\b/
dast-runner-validation:
extends: .download_images
extends: .download_dast_images
variables:
SECURE_BINARIES_ANALYZER_VERSION: "1"
SECURE_BINARIES_IMAGE: "registry.gitlab.com/security-products/${CI_JOB_NAME}:${SECURE_BINARIES_ANALYZER_VERSION}"
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bdast-runner-validation\b/
api-fuzzing:
extends: .download_images
api-security:
extends: .download_dast_images
variables:
SECURE_BINARIES_ANALYZER_VERSION: "1"
only:
variables:
- $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" &&
$SECURE_BINARIES_ANALYZERS =~ /\bapi-fuzzing\b/
$SECURE_BINARIES_ANALYZERS =~ /\bapi-security\b/
......@@ -6,7 +6,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
let(:default_sast_values) do
{ 'global' =>
[
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers' }
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'registry.gitlab.com/security-products' }
],
'pipeline' =>
[
......@@ -19,7 +19,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
let(:params) do
{ 'global' =>
[
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'new_registry' }
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'new_registry' }
],
'pipeline' =>
[
......@@ -164,7 +164,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
let(:params) do
{ 'global' =>
[
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => 'registry.gitlab.com/gitlab-org/security-products/analyzers' }
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => 'registry.gitlab.com/security-products' }
],
'pipeline' =>
[
......@@ -219,21 +219,21 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
def existing_gitlab_ci_and_template_array_without_sast
{ "stages" => %w(test security),
"variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
"variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000" },
"sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" },
"include" => [{ "template" => "existing.yml" }] }
end
def existing_gitlab_ci_and_single_template_with_sast_and_default_stage
{ "stages" => %w(test),
"variables" => { "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
"variables" => { "SECURE_ANALYZERS_PREFIX" => "localhost:5000" },
"sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "test" },
"include" => { "template" => "Security/SAST.gitlab-ci.yml" } }
end
def existing_gitlab_ci_and_single_template_without_sast
{ "stages" => %w(test security),
"variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
"variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000" },
"sast" => { "variables" => { "SEARCH_MAX_DEPTH" => 1 }, "stage" => "security" },
"include" => { "template" => "existing.yml" } }
end
......@@ -246,13 +246,13 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
def existing_gitlab_ci_with_no_sast_section
{ "stages" => %w(test security),
"variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
"variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000" },
"include" => [{ "template" => "Security/SAST.gitlab-ci.yml" }] }
end
def existing_gitlab_ci_with_no_sast_variables
{ "stages" => %w(test security),
"variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000/analyzers" },
"variables" => { "RANDOM" => "make sure this persists", "SECURE_ANALYZERS_PREFIX" => "localhost:5000" },
"sast" => { "stage" => "security" },
"include" => [{ "template" => "Security/SAST.gitlab-ci.yml" }] }
end
......@@ -275,7 +275,7 @@ RSpec.describe Security::CiConfiguration::SastBuildAction do
let(:params) do
{ 'global' =>
[
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/gitlab-org/security-products/analyzers', 'value' => '' }
{ 'field' => 'SECURE_ANALYZERS_PREFIX', 'defaultValue' => 'registry.gitlab.com/security-products', 'value' => '' }
] }
end
......
......@@ -15,7 +15,7 @@ RSpec.describe Ci::CreatePipelineService do
variables:
DAST_VERSION: 1
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
dast:
stage: dast
......
......@@ -3,7 +3,7 @@
module Ci
module TemplateHelpers
def secure_analyzers_prefix
'registry.gitlab.com/gitlab-org/security-products/analyzers'
'registry.gitlab.com/security-products'
end
end
end
......
# frozen_string_literal: true
require 'spec_helper'
RSpec.shared_examples 'setting sec analyzer prefix dynamically' do |builds: [], files: { 'README.md' => '' }, variables: {}, namespace: ''|
using RSpec::Parameterized::TableSyntax
let(:default_analyzer_prefix) { 'registry.gitlab.com/security-products' }
where(:builds, :files, :analyzer_prefix, :expected_prefix) do
builds | files | nil | "$DEFAULT_SECURE_ANALYZERS_PREFIX#{namespace.present? ? "/#{namespace}" : nil}"
builds | files | 'registry.example.com' | 'registry.example.com'
end
with_them do
before do
if analyzer_prefix
if analyzer_prefix != default_analyzer_prefix
create(:ci_variable, project: project, key: 'SECURE_ANALYZERS_PREFIX', value: analyzer_prefix)
end
end
variables.each do |(key, value)|
create(:ci_variable, project: project, key: key, value: value)
end
end
it 'creates a build with the expected tag' do
expect(build_names).to include(*builds)
prefixes = pipeline.builds.map { |build| build.variables["SECURE_ANALYZERS_PREFIX"].value }
expect(prefixes.uniq).to match_array(expected_prefix)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment