gitlab-org--gitlab-foss/.gitlab/ci/reports.gitlab-ci.yml

# Make sure to update all the similar conditions in other CI config files if you modify these conditions
.if-canonical-gitlab-merge-request: &if-canonical-gitlab-merge-request
  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_MERGE_REQUEST_IID'

# Make sure to update all the similar conditions in other CI config files if you modify these conditions
.if-canonical-dot-com-gitlab-org-group-schedule: &if-canonical-dot-com-gitlab-org-group-schedule
  if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_PIPELINE_SOURCE == "schedule"'

# Make sure to update all the similar conditions in other CI config files if you modify these conditions
.if-master-refs: &if-master-refs
  if: '$CI_COMMIT_REF_NAME == "master"'

# Make sure to update all the similar conditions in other CI config files if you modify these conditions
.if-default-refs: &if-default-refs
  if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG'

# Make sure to update all the similar patterns in other CI config files if you modify these patterns
.code-backstage-patterns: &code-backstage-patterns
  - ".gitlab/ci/**/*"
  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
  - ".csscomb.json"
  - "Dockerfile.assets"
  - "*_VERSION"
  - "Gemfile{,.lock}"
  - "Rakefile"
  - "{babel.config,jest.config}.js"
  - "config.ru"
  - "{package.json,yarn.lock}"
  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
  # Backstage changes
  - "Dangerfile"
  - "danger/**/*"
  - "{,ee/}fixtures/**/*"
  - "{,ee/}rubocop/**/*"
  - "{,ee/}spec/**/*"
  - "doc/README.md"  # Some RSpec test rely on this file

# Make sure to update all the similar patterns in other CI config files if you modify these patterns
.code-qa-patterns: &code-qa-patterns
  - ".gitlab/ci/**/*"
  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
  - ".csscomb.json"
  - "Dockerfile.assets"
  - "*_VERSION"
  - "Gemfile{,.lock}"
  - "Rakefile"
  - "{babel.config,jest.config}.js"
  - "config.ru"
  - "{package.json,yarn.lock}"
  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
  # QA changes
  - ".dockerignore"
  - "qa/**/*"

# Make sure to update all the similar patterns in other CI config files if you modify these patterns
.code-backstage-qa-patterns: &code-backstage-qa-patterns
  - ".gitlab/ci/**/*"
  - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
  - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
  - ".csscomb.json"
  - "Dockerfile.assets"
  - "*_VERSION"
  - "Gemfile{,.lock}"
  - "Rakefile"
  - "{babel.config,jest.config}.js"
  - "config.ru"
  - "{package.json,yarn.lock}"
  - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
  - "doc/api/graphql/reference/*" # Files in this folder are auto-generated
  # Backstage changes
  - "Dangerfile"
  - "danger/**/*"
  - "{,ee/}fixtures/**/*"
  - "{,ee/}rubocop/**/*"
  - "{,ee/}spec/**/*"
  - "doc/README.md"  # Some RSpec test rely on this file
  # QA changes
  - ".dockerignore"
  - "qa/**/*"

.reports:rules:code_quality:
  rules:
    - if: '$CODE_QUALITY_DISABLED'
      when: never
    # - <<: *if-master-refs  # To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
    - <<: *if-default-refs
      changes: *code-backstage-patterns

.reports:rules:sast:
  rules:
    - if: '$SAST_DISABLED || $GITLAB_FEATURES !~ /\bsast\b/'
      when: never
    # - <<: *if-master-refs  # To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
    - <<: *if-default-refs
      changes: *code-backstage-qa-patterns

.reports:rules:dependency_scanning:
  rules:
    - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/'
      when: never
    # - <<: *if-master-refs  # To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
    - <<: *if-default-refs
      changes: *code-backstage-qa-patterns

.reports:rules:dast:
  rules:
    - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
      when: never
    - <<: *if-canonical-gitlab-merge-request
      changes: *code-qa-patterns

# include:
#   - template: Jobs/Code-Quality.gitlab-ci.yml
#   - template: Security/SAST.gitlab-ci.yml
#   - template: Security/Dependency-Scanning.gitlab-ci.yml
#   - template: Security/DAST.gitlab-ci.yml

# We need to duplicate this job's definition because it seems it's impossible to
# override an included `only.refs`.
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
code_quality:
  extends:
    - .default-retry
    - .reports:rules:code_quality
  stage: test
  image: docker:stable
  allow_failure: true
  services:
    - docker:stable-dind
  variables:
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_CERTDIR: ""
    CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/security-products/codequality:0.85.6"
  script:
    - |
      if ! docker info &>/dev/null; then
        if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
          export DOCKER_HOST='tcp://localhost:2375'
        fi
      fi
    - docker pull --quiet "$CODE_QUALITY_IMAGE"
    - docker run
        --env SOURCE_CODE="$PWD"
        --volume "$PWD":/code
        --volume /var/run/docker.sock:/var/run/docker.sock
        "$CODE_QUALITY_IMAGE" /code
  artifacts:
    reports:
      codequality: gl-code-quality-report.json
    paths:
      - gl-code-quality-report.json  # GitLab-specific
    expire_in: 1 week  # GitLab-specific
  dependencies: []

# We need to duplicate this job's definition because it seems it's impossible to
# override an included `only.refs`.
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
# Once https://gitlab.com/gitlab-org/gitlab/merge_requests/16487 will be deployed
# to GitLab.com, we should be able to use the template and set SAST_DISABLE_DIND: "true".
sast:
  extends:
    - .default-retry
    - .reports:rules:sast
  stage: test
  allow_failure: true
  dependencies: []  # GitLab-specific
  artifacts:
    paths:
      - gl-sast-report.json  # GitLab-specific
    reports:
      sast: gl-sast-report.json
    expire_in: 1 week  # GitLab-specific
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_CERTDIR: ""
    SAST_BRAKEMAN_LEVEL: 2  # GitLab-specific
    SAST_EXCLUDED_PATHS: qa,spec,doc,ee/spec  # GitLab-specific
  services:
    - docker:stable-dind
  script:
    - export SAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
    - |
      if ! docker info &>/dev/null; then
        if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
          export DOCKER_HOST='tcp://localhost:2375'
        fi
      fi
    - |
      ENVS=`printenv | grep -vE '^(DOCKER_|CI|GITLAB_|FF_|HOME|PWD|OLDPWD|PATH|SHLVL|HOSTNAME)' | sed -n '/^[^\t]/s/=.*//p' | sed '/^$/d' | sed 's/^/-e /g' | tr '\n' ' '`
      docker run "$ENVS" \
        --volume "$PWD:/code" \
        --volume /var/run/docker.sock:/var/run/docker.sock \
        "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code

# We need to duplicate this job's definition because it seems it's impossible to
# override an included `only.refs`.
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
dependency_scanning:
  extends:
    - .default-retry
    - .reports:rules:dependency_scanning
  stage: test
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_CERTDIR: ""
    DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports,spec,ee/spec"  # GitLab-specific
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export DS_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
    - |
      if ! docker info &>/dev/null; then
        if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
          export DOCKER_HOST='tcp://localhost:2375'
        fi
      fi
    - | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
      function propagate_env_vars() {
        CURRENT_ENV=$(printenv)

        for VAR_NAME; do
          echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
        done
      }
    - |
      docker run \
        $(propagate_env_vars \
          DS_ANALYZER_IMAGES \
          DS_ANALYZER_IMAGE_PREFIX \
          DS_ANALYZER_IMAGE_TAG \
          DS_DEFAULT_ANALYZERS \
          DS_EXCLUDED_PATHS \
          DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
          DS_PULL_ANALYZER_IMAGE_TIMEOUT \
          DS_RUN_ANALYZER_TIMEOUT \
          DS_PYTHON_VERSION \
          DS_PIP_VERSION \
          DS_PIP_DEPENDENCY_PATH \
          GEMNASIUM_DB_LOCAL_PATH \
          GEMNASIUM_DB_REMOTE_URL \
          GEMNASIUM_DB_REF_NAME \
          PIP_INDEX_URL \
          PIP_EXTRA_INDEX_URL \
          PIP_REQUIREMENTS_FILE \
          MAVEN_CLI_OPTS \
          BUNDLER_AUDIT_UPDATE_DISABLED \
          BUNDLER_AUDIT_ADVISORY_DB_URL \
          BUNDLER_AUDIT_ADVISORY_DB_REF_NAME \
        ) \
        --volume "$PWD:/code" \
        --volume /var/run/docker.sock:/var/run/docker.sock \
        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_VERSION" /code
  artifacts:
    paths:
      - gl-dependency-scanning-report.json  # GitLab-specific
    reports:
      dependency_scanning: gl-dependency-scanning-report.json
    expire_in: 1 week  # GitLab-specific
  dependencies: []

# We need to duplicate this job's definition because it seems it's impossible to
# override an included `only.refs`.
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
dast:
  extends:
    - .default-retry
    - .reports:rules:dast
  needs:
    - job: review-deploy
      artifacts: true
  stage: qa  # GitLab-specific
  image:
    name: "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION"
  variables:
    # To be done in a later iteration
    # DAST_USERNAME: "root"
    # DAST_USERNAME_FIELD: "user[login]"
    # DAST_PASSWORD_FIELD: "user[passowrd]"
  allow_failure: true
  script:
    - 'export DAST_WEBSITE="${DAST_WEBSITE:-$(cat environment_url.txt)}"'
    # To be done in a later iteration
    # - 'export DAST_AUTH_URL="${DAST_WEBSITE}/users/sign_in"'
    # - 'export DAST_PASSWORD="${REVIEW_APPS_ROOT_PASSWORD}"'
    - /analyze -t $DAST_WEBSITE
  artifacts:
    paths:
      - gl-dast-report.json  # GitLab-specific
    reports:
      dast: gl-dast-report.json
    expire_in: 1 week  # GitLab-specific

# To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
# schedule:dast:
#   extends: dast
#   rules:
#     - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
#       when: never
#     - <<: *if-canonical-dot-com-gitlab-org-group-schedule
#   variables:
#     DAST_FULL_SCAN_ENABLED: "true"