Prevent creation of .env file

To propagate environment variable from host to sast container, .env file is created. Then, this .env file is analyzed by sast and may trigger TruffleHog for example. Passing `-e VARNAME` to docker without definition allow to propagate environment variables without need to create the .env file.

Prevent creation of .env file
To propagate environment variable from host to sast container, .env file is created. Then, this .env file is analyzed by sast and may trigger TruffleHog for example. Passing `-e VARNAME` to docker without definition allow to propagate environment variables without need to create the .env file.
d6994f29 · agix · Florian GAULTIER · b7b5cc99 · d6994f29
Commit d6994f29 authored Dec 04, 2019 by agix Committed by Florian GAULTIER Mar 23, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml +2 -2

No files found.
--- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
@@ -36,9 +36,9 @@ sast:
          export DOCKER_HOST='tcp://localhost:2375'
        fi
      fi
-    - ENVS=`printenv | grep -vE '^(DOCKER_|CI|GITLAB_|FF_|HOME|PWD|OLDPWD|PATH|SHLVL|HOSTNAME)' | sed -n '/^[^\t]/s/=.*//p' | sed '/^$/d' | sed 's/^/-e /g' | tr '\n' ' '`
    - |
-      docker run $ENVS \
+      docker run \
+        $(awk 'BEGIN{for(v in ENVIRON) print v}' | grep -v -E '^(DOCKER_|CI|GITLAB_|FF_|HOME|PWD|OLDPWD|PATH|SHLVL|HOSTNAME)' | awk '{printf " -e %s", $0}') \
        --volume "$PWD:/code" \
        --volume /var/run/docker.sock:/var/run/docker.sock \
        "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code