include: - template: Jobs/Code-Quality.gitlab-ci.yml - template: Security/SAST.gitlab-ci.yml - template: Security/Secret-Detection.gitlab-ci.yml - template: Security/Dependency-Scanning.gitlab-ci.yml - template: Security/License-Scanning.gitlab-ci.yml code_quality: extends: - .default-retry - .use-docker-in-docker artifacts: paths: - gl-code-quality-report.json # GitLab-specific rules: !reference [".reports:rules:code_quality", rules] .sast-analyzer: # We need to re-`extends` from `sast` as the `extends` here overrides the one from the template. extends: - .default-retry - sast needs: [] artifacts: paths: - gl-sast-report.json # GitLab-specific expire_in: 1 week # GitLab-specific variables: SAST_BRAKEMAN_LEVEL: 2 # GitLab-specific SAST_EXCLUDED_PATHS: "qa, spec, doc, ee/spec, config/gitlab.yml.example, tmp" # GitLab-specific SAST_EXCLUDED_ANALYZERS: bandit, flawfinder, phpcs-security-audit, pmd-apex, security-code-scan, spotbugs brakeman-sast: rules: !reference [".reports:rules:sast", rules] eslint-sast: rules: !reference [".reports:rules:sast", rules] nodejs-scan-sast: rules: !reference [".reports:rules:sast", rules] semgrep-sast: rules: !reference [".reports:rules:sast", rules] gosec-sast: variables: GOPATH: "$CI_PROJECT_DIR/vendor/go" COMPILE: "false" GOSEC_GO_PKG_PATH: "$CI_PROJECT_DIR" SECURE_LOG_LEVEL: "debug" before_script: - mkdir -p $GOPATH - cd workhorse - go get -d ./... - cd .. cache: paths: - vendor/go rules: !reference [".reports:rules:sast", rules] .secret-analyzer: extends: .default-retry needs: [] artifacts: paths: - gl-secret-detection-report.json # GitLab-specific expire_in: 1 week # GitLab-specific secret_detection: rules: !reference [".reports:rules:secret_detection", rules] .ds-analyzer: # We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template. extends: - .default-retry - dependency_scanning needs: [] variables: DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp" # GitLab-specific artifacts: paths: - gl-dependency-scanning-report.json # GitLab-specific expire_in: 1 week # GitLab-specific gemnasium-dependency_scanning: before_script: # git-lfs is needed for auto-remediation - apk add git-lfs after_script: # Post-processing - apk add jq # Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390 - jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules] bundler-audit-dependency_scanning: rules: !reference [".reports:rules:bundler-audit-dependency_scanning", rules] retire-js-dependency_scanning: rules: !reference [".reports:rules:retire-js-dependency_scanning", rules] gemnasium-python-dependency_scanning: rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules] # Analyze dependencies for malicious behavior # See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter .package_hunter-base: extends: - .default-retry stage: test image: name: registry.gitlab.com/gitlab-com/gl-security/security-research/package-hunter-cli:1.1.0 entrypoint: [""] variables: DEBUG: '*' HTR_user: '$PACKAGE_HUNTER_USER' HTR_pass: '$PACKAGE_HUNTER_PASS' needs: [] allow_failure: true before_script: - rm -r spec locale .git app/assets/images doc/ - cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/ artifacts: paths: - gl-dependency-scanning-report.json reports: dependency_scanning: gl-dependency-scanning-report.json expire_in: 1 week package_hunter-yarn: extends: - .package_hunter-base - .reports:rules:package_hunter-yarn script: - node /usr/src/app/cli.js analyze --format gitlab --manager yarn gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json package_hunter-bundler: extends: - .package_hunter-base - .reports:rules:package_hunter-bundler script: - node /usr/src/app/cli.js analyze --format gitlab --manager bundler gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json license_scanning: extends: .default-retry needs: [] artifacts: expire_in: 1 week # GitLab-specific rules: !reference [".reports:rules:license_scanning", rules]