2021-04-27 05:09:46 -04:00
|
|
|
include:
|
|
|
|
|
- template: Jobs/Code-Quality.gitlab-ci.yml
|
2021-10-07 14:11:28 -04:00
|
|
|
- template: Jobs/SAST.gitlab-ci.yml
|
|
|
|
|
- template: Jobs/Secret-Detection.gitlab-ci.yml
|
2022-04-20 11:10:23 -04:00
|
|
|
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
|
|
|
|
|
- template: Jobs/License-Scanning.gitlab-ci.yml
|
2019-04-12 04:56:38 -04:00
|
|
|
|
2019-09-17 10:16:34 -04:00
|
|
|
code_quality:
|
2019-08-26 16:41:55 -04:00
|
|
|
extends:
|
|
|
|
|
- .default-retry
|
2020-04-08 11:09:29 -04:00
|
|
|
- .use-docker-in-docker
|
2021-11-01 05:13:14 -04:00
|
|
|
stage: lint
|
2019-09-17 10:16:34 -04:00
|
|
|
artifacts:
|
2019-12-16 10:07:39 -05:00
|
|
|
paths:
|
2020-02-13 10:08:52 -05:00
|
|
|
- gl-code-quality-report.json # GitLab-specific
|
2022-08-01 08:12:10 -04:00
|
|
|
# extends generated values cannot overwrite values from included files
|
|
|
|
|
# Use !reference as a workaround here
|
2021-04-27 05:09:46 -04:00
|
|
|
rules: !reference [".reports:rules:code_quality", rules]
|
2021-10-07 14:11:28 -04:00
|
|
|
allow_failure: true
|
2019-04-12 04:56:38 -04:00
|
|
|
|
2021-05-17 14:10:42 -04:00
|
|
|
.sast-analyzer:
|
|
|
|
|
# We need to re-`extends` from `sast` as the `extends` here overrides the one from the template.
|
2019-09-17 10:16:34 -04:00
|
|
|
extends:
|
|
|
|
|
- .default-retry
|
2021-05-17 14:10:42 -04:00
|
|
|
- sast
|
2021-11-01 05:13:14 -04:00
|
|
|
stage: lint
|
2020-02-20 13:08:51 -05:00
|
|
|
needs: []
|
2020-02-13 10:08:52 -05:00
|
|
|
artifacts:
|
|
|
|
|
paths:
|
|
|
|
|
- gl-sast-report.json # GitLab-specific
|
|
|
|
|
expire_in: 1 week # GitLab-specific
|
2019-04-12 04:56:38 -04:00
|
|
|
variables:
|
2020-02-13 10:08:52 -05:00
|
|
|
SAST_BRAKEMAN_LEVEL: 2 # GitLab-specific
|
2021-05-17 14:10:42 -04:00
|
|
|
SAST_EXCLUDED_PATHS: "qa, spec, doc, ee/spec, config/gitlab.yml.example, tmp" # GitLab-specific
|
2021-10-11 08:11:56 -04:00
|
|
|
SAST_EXCLUDED_ANALYZERS: bandit, flawfinder, phpcs-security-audit, pmd-apex, security-code-scan, spotbugs, eslint, nodejs-scan
|
2020-04-10 05:09:39 -04:00
|
|
|
|
|
|
|
|
brakeman-sast:
|
2021-10-07 14:11:28 -04:00
|
|
|
rules: !reference [".reports:rules:brakeman-sast", rules]
|
2020-04-10 05:09:39 -04:00
|
|
|
|
2021-05-18 05:10:37 -04:00
|
|
|
semgrep-sast:
|
2021-10-07 14:11:28 -04:00
|
|
|
rules: !reference [".reports:rules:semgrep-sast", rules]
|
2021-07-21 11:08:52 -04:00
|
|
|
|
|
|
|
|
gosec-sast:
|
|
|
|
|
variables:
|
|
|
|
|
GOPATH: "$CI_PROJECT_DIR/vendor/go"
|
|
|
|
|
COMPILE: "false"
|
|
|
|
|
GOSEC_GO_PKG_PATH: "$CI_PROJECT_DIR"
|
|
|
|
|
SECURE_LOG_LEVEL: "debug"
|
|
|
|
|
before_script:
|
|
|
|
|
- mkdir -p $GOPATH
|
|
|
|
|
- cd workhorse
|
|
|
|
|
- go get -d ./...
|
|
|
|
|
- cd ..
|
|
|
|
|
cache:
|
|
|
|
|
paths:
|
|
|
|
|
- vendor/go
|
2021-10-07 14:11:28 -04:00
|
|
|
rules: !reference [".reports:rules:gosec-sast", rules]
|
2021-05-18 05:10:37 -04:00
|
|
|
|
2021-05-17 14:10:42 -04:00
|
|
|
.secret-analyzer:
|
|
|
|
|
extends: .default-retry
|
2021-11-01 05:13:14 -04:00
|
|
|
stage: lint
|
2021-05-17 14:10:42 -04:00
|
|
|
needs: []
|
2020-08-27 14:10:29 -04:00
|
|
|
artifacts:
|
|
|
|
|
paths:
|
|
|
|
|
- gl-secret-detection-report.json # GitLab-specific
|
|
|
|
|
expire_in: 1 week # GitLab-specific
|
2019-04-12 04:56:38 -04:00
|
|
|
|
2021-05-17 14:10:42 -04:00
|
|
|
secret_detection:
|
|
|
|
|
rules: !reference [".reports:rules:secret_detection", rules]
|
|
|
|
|
|
|
|
|
|
.ds-analyzer:
|
|
|
|
|
# We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template.
|
2019-09-17 10:16:34 -04:00
|
|
|
extends:
|
|
|
|
|
- .default-retry
|
2021-05-17 14:10:42 -04:00
|
|
|
- dependency_scanning
|
2021-11-01 05:13:14 -04:00
|
|
|
stage: lint
|
2020-02-20 13:08:51 -05:00
|
|
|
needs: []
|
2019-09-17 10:16:34 -04:00
|
|
|
variables:
|
2021-05-17 14:10:42 -04:00
|
|
|
DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp" # GitLab-specific
|
2021-10-14 08:09:39 -04:00
|
|
|
DS_EXCLUDED_ANALYZERS: "gemnasium-maven"
|
2019-09-17 10:16:34 -04:00
|
|
|
artifacts:
|
2020-02-13 10:08:52 -05:00
|
|
|
paths:
|
|
|
|
|
- gl-dependency-scanning-report.json # GitLab-specific
|
|
|
|
|
expire_in: 1 week # GitLab-specific
|
2021-01-06 16:10:18 -05:00
|
|
|
|
2021-05-17 14:10:42 -04:00
|
|
|
gemnasium-dependency_scanning:
|
2022-05-16 20:08:52 -04:00
|
|
|
variables:
|
|
|
|
|
DS_REMEDIATE: "false"
|
2021-06-21 14:08:00 -04:00
|
|
|
rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules]
|
2020-10-08 20:08:41 -04:00
|
|
|
|
2021-05-17 14:10:42 -04:00
|
|
|
gemnasium-python-dependency_scanning:
|
2021-06-21 14:08:00 -04:00
|
|
|
rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules]
|
2021-01-08 07:10:35 -05:00
|
|
|
|
2021-11-09 10:12:42 -05:00
|
|
|
yarn-audit-dependency_scanning:
|
|
|
|
|
extends: .ds-analyzer
|
2022-06-16 08:09:26 -04:00
|
|
|
image: "${REGISTRY_HOST}/${REGISTRY_GROUP}/security-products/analyzers/npm-audit:1"
|
2021-11-09 10:12:42 -05:00
|
|
|
variables:
|
|
|
|
|
TOOL: yarn
|
|
|
|
|
rules: !reference [".reports:rules:yarn-audit-dependency_scanning", rules]
|
|
|
|
|
|
2021-01-06 16:10:18 -05:00
|
|
|
# Analyze dependencies for malicious behavior
|
|
|
|
|
# See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
|
2021-07-06 17:07:50 -04:00
|
|
|
.package_hunter-base:
|
2021-10-07 14:11:28 -04:00
|
|
|
extends: .default-retry
|
2020-11-09 13:09:11 -05:00
|
|
|
stage: test
|
|
|
|
|
image:
|
2022-05-30 14:08:57 -04:00
|
|
|
name: ${REGISTRY_HOST}/${REGISTRY_GROUP}/security-products/package-hunter-cli:v1.3.2@sha256:7529deaef9ea21aab56bfb74ae1abbc121311affdb6ece49ce7b1c360f997ca2
|
2020-11-09 13:09:11 -05:00
|
|
|
entrypoint: [""]
|
2021-07-06 17:07:50 -04:00
|
|
|
variables:
|
|
|
|
|
HTR_user: '$PACKAGE_HUNTER_USER'
|
|
|
|
|
HTR_pass: '$PACKAGE_HUNTER_PASS'
|
2020-11-09 13:09:11 -05:00
|
|
|
needs: []
|
2021-04-20 14:09:37 -04:00
|
|
|
allow_failure: true
|
2021-07-06 17:07:50 -04:00
|
|
|
before_script:
|
2020-11-09 13:09:11 -05:00
|
|
|
- rm -r spec locale .git app/assets/images doc/
|
|
|
|
|
- cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/
|
2021-10-07 14:11:28 -04:00
|
|
|
script:
|
2022-01-20 10:11:58 -05:00
|
|
|
- DEBUG=* node /usr/src/app/cli.js analyze --format gitlab --manager ${PACKAGE_MANAGER} gitlab.tgz | tee ${CI_PROJECT_DIR}/gl-dependency-scanning-report.json
|
2022-03-01 10:22:06 -05:00
|
|
|
after_script:
|
|
|
|
|
- mkdir ~/.aws
|
|
|
|
|
- '[[ -z "${AWS_SIEM_REPORT_INGESTION_CREDENTIALS_FILE}" ]] || mv "${AWS_SIEM_REPORT_INGESTION_CREDENTIALS_FILE}" ~/.aws/credentials'
|
|
|
|
|
- npm install --no-save --ignore-scripts @aws-sdk/client-s3@3.49.0
|
|
|
|
|
- scripts/ingest-reports-to-siem
|
2020-11-09 13:09:11 -05:00
|
|
|
artifacts:
|
|
|
|
|
paths:
|
2021-05-17 14:10:42 -04:00
|
|
|
- gl-dependency-scanning-report.json
|
2020-11-09 13:09:11 -05:00
|
|
|
reports:
|
|
|
|
|
dependency_scanning: gl-dependency-scanning-report.json
|
2021-05-17 14:10:42 -04:00
|
|
|
expire_in: 1 week
|
2020-11-09 13:09:11 -05:00
|
|
|
|
2021-07-06 17:07:50 -04:00
|
|
|
package_hunter-yarn:
|
|
|
|
|
extends:
|
|
|
|
|
- .package_hunter-base
|
|
|
|
|
- .reports:rules:package_hunter-yarn
|
2021-10-07 14:11:28 -04:00
|
|
|
variables:
|
|
|
|
|
PACKAGE_MANAGER: yarn
|
2021-07-06 17:07:50 -04:00
|
|
|
|
|
|
|
|
package_hunter-bundler:
|
|
|
|
|
extends:
|
|
|
|
|
- .package_hunter-base
|
|
|
|
|
- .reports:rules:package_hunter-bundler
|
2021-10-07 14:11:28 -04:00
|
|
|
variables:
|
|
|
|
|
PACKAGE_MANAGER: bundler
|
2021-07-06 17:07:50 -04:00
|
|
|
|
2020-10-08 20:08:41 -04:00
|
|
|
license_scanning:
|
2021-05-17 14:10:42 -04:00
|
|
|
extends: .default-retry
|
2021-11-01 05:13:14 -04:00
|
|
|
stage: lint
|
2020-10-08 20:08:41 -04:00
|
|
|
needs: []
|
|
|
|
|
artifacts:
|
|
|
|
|
expire_in: 1 week # GitLab-specific
|
2021-05-17 14:10:42 -04:00
|
|
|
rules: !reference [".reports:rules:license_scanning", rules]
|
