309 lines
11 KiB
YAML
309 lines
11 KiB
YAML
# Make sure to update all the similar conditions in other CI config files if you modify these conditions
|
|
.if-canonical-gitlab-merge-request: &if-canonical-gitlab-merge-request
|
|
if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_MERGE_REQUEST_IID'
|
|
|
|
# Make sure to update all the similar conditions in other CI config files if you modify these conditions
|
|
.if-canonical-dot-com-gitlab-org-group-schedule: &if-canonical-dot-com-gitlab-org-group-schedule
|
|
if: '$CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" && $CI_PIPELINE_SOURCE == "schedule"'
|
|
|
|
# Make sure to update all the similar conditions in other CI config files if you modify these conditions
|
|
.if-master-refs: &if-master-refs
|
|
if: '$CI_COMMIT_REF_NAME == "master"'
|
|
|
|
# Make sure to update all the similar conditions in other CI config files if you modify these conditions
|
|
.if-default-refs: &if-default-refs
|
|
if: '$CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ || $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ || $CI_COMMIT_REF_NAME =~ /^security\// || $CI_MERGE_REQUEST_IID || $CI_COMMIT_TAG'
|
|
|
|
# Make sure to update all the similar patterns in other CI config files if you modify these patterns
|
|
.code-backstage-patterns: &code-backstage-patterns
|
|
- ".gitlab/ci/**/*"
|
|
- ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
|
|
- ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
|
|
- ".csscomb.json"
|
|
- "Dockerfile.assets"
|
|
- "*_VERSION"
|
|
- "Gemfile{,.lock}"
|
|
- "Rakefile"
|
|
- "{babel.config,jest.config}.js"
|
|
- "config.ru"
|
|
- "{package.json,yarn.lock}"
|
|
- "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
|
|
- "doc/api/graphql/reference/*" # Files in this folder are auto-generated
|
|
# Backstage changes
|
|
- "Dangerfile"
|
|
- "danger/**/*"
|
|
- "{,ee/}fixtures/**/*"
|
|
- "{,ee/}rubocop/**/*"
|
|
- "{,ee/}spec/**/*"
|
|
- "doc/README.md" # Some RSpec test rely on this file
|
|
|
|
# Make sure to update all the similar patterns in other CI config files if you modify these patterns
|
|
.code-qa-patterns: &code-qa-patterns
|
|
- ".gitlab/ci/**/*"
|
|
- ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
|
|
- ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
|
|
- ".csscomb.json"
|
|
- "Dockerfile.assets"
|
|
- "*_VERSION"
|
|
- "Gemfile{,.lock}"
|
|
- "Rakefile"
|
|
- "{babel.config,jest.config}.js"
|
|
- "config.ru"
|
|
- "{package.json,yarn.lock}"
|
|
- "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
|
|
- "doc/api/graphql/reference/*" # Files in this folder are auto-generated
|
|
# QA changes
|
|
- ".dockerignore"
|
|
- "qa/**/*"
|
|
|
|
# Make sure to update all the similar patterns in other CI config files if you modify these patterns
|
|
.code-backstage-qa-patterns: &code-backstage-qa-patterns
|
|
- ".gitlab/ci/**/*"
|
|
- ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}"
|
|
- ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml"
|
|
- ".csscomb.json"
|
|
- "Dockerfile.assets"
|
|
- "*_VERSION"
|
|
- "Gemfile{,.lock}"
|
|
- "Rakefile"
|
|
- "{babel.config,jest.config}.js"
|
|
- "config.ru"
|
|
- "{package.json,yarn.lock}"
|
|
- "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*"
|
|
- "doc/api/graphql/reference/*" # Files in this folder are auto-generated
|
|
# Backstage changes
|
|
- "Dangerfile"
|
|
- "danger/**/*"
|
|
- "{,ee/}fixtures/**/*"
|
|
- "{,ee/}rubocop/**/*"
|
|
- "{,ee/}spec/**/*"
|
|
- "doc/README.md" # Some RSpec test rely on this file
|
|
# QA changes
|
|
- ".dockerignore"
|
|
- "qa/**/*"
|
|
|
|
.reports:rules:code_quality:
|
|
rules:
|
|
- if: '$CODE_QUALITY_DISABLED'
|
|
when: never
|
|
# - <<: *if-master-refs # To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
|
|
- <<: *if-default-refs
|
|
changes: *code-backstage-patterns
|
|
|
|
.reports:rules:sast:
|
|
rules:
|
|
- if: '$SAST_DISABLED || $GITLAB_FEATURES !~ /\bsast\b/'
|
|
when: never
|
|
# - <<: *if-master-refs # To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
|
|
- <<: *if-default-refs
|
|
changes: *code-backstage-qa-patterns
|
|
|
|
.reports:rules:dependency_scanning:
|
|
rules:
|
|
- if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/'
|
|
when: never
|
|
# - <<: *if-master-refs # To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
|
|
- <<: *if-default-refs
|
|
changes: *code-backstage-qa-patterns
|
|
|
|
.reports:rules:dast:
|
|
rules:
|
|
- if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
|
|
when: never
|
|
- <<: *if-canonical-gitlab-merge-request
|
|
changes: *code-qa-patterns
|
|
|
|
# include:
|
|
# - template: Jobs/Code-Quality.gitlab-ci.yml
|
|
# - template: Security/SAST.gitlab-ci.yml
|
|
# - template: Security/Dependency-Scanning.gitlab-ci.yml
|
|
# - template: Security/DAST.gitlab-ci.yml
|
|
|
|
# We need to duplicate this job's definition because it seems it's impossible to
|
|
# override an included `only.refs`.
|
|
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
|
|
code_quality:
|
|
extends:
|
|
- .default-retry
|
|
- .reports:rules:code_quality
|
|
stage: test
|
|
image: docker:stable
|
|
allow_failure: true
|
|
services:
|
|
- docker:stable-dind
|
|
variables:
|
|
DOCKER_DRIVER: overlay2
|
|
DOCKER_TLS_CERTDIR: ""
|
|
CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/security-products/codequality:0.85.6"
|
|
script:
|
|
- |
|
|
if ! docker info &>/dev/null; then
|
|
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
|
|
export DOCKER_HOST='tcp://localhost:2375'
|
|
fi
|
|
fi
|
|
- docker pull --quiet "$CODE_QUALITY_IMAGE"
|
|
- docker run
|
|
--env SOURCE_CODE="$PWD"
|
|
--volume "$PWD":/code
|
|
--volume /var/run/docker.sock:/var/run/docker.sock
|
|
"$CODE_QUALITY_IMAGE" /code
|
|
artifacts:
|
|
reports:
|
|
codequality: gl-code-quality-report.json
|
|
paths:
|
|
- gl-code-quality-report.json # GitLab-specific
|
|
expire_in: 1 week # GitLab-specific
|
|
dependencies: []
|
|
|
|
# We need to duplicate this job's definition because it seems it's impossible to
|
|
# override an included `only.refs`.
|
|
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
|
|
# Once https://gitlab.com/gitlab-org/gitlab/merge_requests/16487 will be deployed
|
|
# to GitLab.com, we should be able to use the template and set SAST_DISABLE_DIND: "true".
|
|
sast:
|
|
extends:
|
|
- .default-retry
|
|
- .reports:rules:sast
|
|
stage: test
|
|
allow_failure: true
|
|
dependencies: [] # GitLab-specific
|
|
artifacts:
|
|
paths:
|
|
- gl-sast-report.json # GitLab-specific
|
|
reports:
|
|
sast: gl-sast-report.json
|
|
expire_in: 1 week # GitLab-specific
|
|
image: docker:stable
|
|
variables:
|
|
DOCKER_DRIVER: overlay2
|
|
DOCKER_TLS_CERTDIR: ""
|
|
SAST_BRAKEMAN_LEVEL: 2 # GitLab-specific
|
|
SAST_EXCLUDED_PATHS: qa,spec,doc,ee/spec # GitLab-specific
|
|
services:
|
|
- docker:stable-dind
|
|
script:
|
|
- export SAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
|
|
- |
|
|
if ! docker info &>/dev/null; then
|
|
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
|
|
export DOCKER_HOST='tcp://localhost:2375'
|
|
fi
|
|
fi
|
|
- |
|
|
ENVS=`printenv | grep -vE '^(DOCKER_|CI|GITLAB_|FF_|HOME|PWD|OLDPWD|PATH|SHLVL|HOSTNAME)' | sed -n '/^[^\t]/s/=.*//p' | sed '/^$/d' | sed 's/^/-e /g' | tr '\n' ' '`
|
|
docker run "$ENVS" \
|
|
--volume "$PWD:/code" \
|
|
--volume /var/run/docker.sock:/var/run/docker.sock \
|
|
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code
|
|
|
|
# We need to duplicate this job's definition because it seems it's impossible to
|
|
# override an included `only.refs`.
|
|
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
|
|
dependency_scanning:
|
|
extends:
|
|
- .default-retry
|
|
- .reports:rules:dependency_scanning
|
|
stage: test
|
|
image: docker:stable
|
|
variables:
|
|
DOCKER_DRIVER: overlay2
|
|
DOCKER_TLS_CERTDIR: ""
|
|
DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports,spec,ee/spec" # GitLab-specific
|
|
allow_failure: true
|
|
services:
|
|
- docker:stable-dind
|
|
script:
|
|
- export DS_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
|
|
- |
|
|
if ! docker info &>/dev/null; then
|
|
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
|
|
export DOCKER_HOST='tcp://localhost:2375'
|
|
fi
|
|
fi
|
|
- | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
|
|
function propagate_env_vars() {
|
|
CURRENT_ENV=$(printenv)
|
|
|
|
for VAR_NAME; do
|
|
echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
|
|
done
|
|
}
|
|
- |
|
|
docker run \
|
|
$(propagate_env_vars \
|
|
DS_ANALYZER_IMAGES \
|
|
DS_ANALYZER_IMAGE_PREFIX \
|
|
DS_ANALYZER_IMAGE_TAG \
|
|
DS_DEFAULT_ANALYZERS \
|
|
DS_EXCLUDED_PATHS \
|
|
DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
|
|
DS_PULL_ANALYZER_IMAGE_TIMEOUT \
|
|
DS_RUN_ANALYZER_TIMEOUT \
|
|
DS_PYTHON_VERSION \
|
|
DS_PIP_VERSION \
|
|
DS_PIP_DEPENDENCY_PATH \
|
|
GEMNASIUM_DB_LOCAL_PATH \
|
|
GEMNASIUM_DB_REMOTE_URL \
|
|
GEMNASIUM_DB_REF_NAME \
|
|
PIP_INDEX_URL \
|
|
PIP_EXTRA_INDEX_URL \
|
|
PIP_REQUIREMENTS_FILE \
|
|
MAVEN_CLI_OPTS \
|
|
BUNDLER_AUDIT_UPDATE_DISABLED \
|
|
BUNDLER_AUDIT_ADVISORY_DB_URL \
|
|
BUNDLER_AUDIT_ADVISORY_DB_REF_NAME \
|
|
) \
|
|
--volume "$PWD:/code" \
|
|
--volume /var/run/docker.sock:/var/run/docker.sock \
|
|
"registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_VERSION" /code
|
|
artifacts:
|
|
paths:
|
|
- gl-dependency-scanning-report.json # GitLab-specific
|
|
reports:
|
|
dependency_scanning: gl-dependency-scanning-report.json
|
|
expire_in: 1 week # GitLab-specific
|
|
dependencies: []
|
|
|
|
# We need to duplicate this job's definition because it seems it's impossible to
|
|
# override an included `only.refs`.
|
|
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
|
|
dast:
|
|
extends:
|
|
- .default-retry
|
|
- .reports:rules:dast
|
|
needs:
|
|
- job: review-deploy
|
|
artifacts: true
|
|
stage: qa # GitLab-specific
|
|
image:
|
|
name: "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION"
|
|
variables:
|
|
# To be done in a later iteration
|
|
# DAST_USERNAME: "root"
|
|
# DAST_USERNAME_FIELD: "user[login]"
|
|
# DAST_PASSWORD_FIELD: "user[passowrd]"
|
|
allow_failure: true
|
|
script:
|
|
- 'export DAST_WEBSITE="${DAST_WEBSITE:-$(cat environment_url.txt)}"'
|
|
# To be done in a later iteration
|
|
# - 'export DAST_AUTH_URL="${DAST_WEBSITE}/users/sign_in"'
|
|
# - 'export DAST_PASSWORD="${REVIEW_APPS_ROOT_PASSWORD}"'
|
|
- /analyze -t $DAST_WEBSITE
|
|
artifacts:
|
|
paths:
|
|
- gl-dast-report.json # GitLab-specific
|
|
reports:
|
|
dast: gl-dast-report.json
|
|
expire_in: 1 week # GitLab-specific
|
|
|
|
# To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255
|
|
# schedule:dast:
|
|
# extends: dast
|
|
# rules:
|
|
# - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
|
|
# when: never
|
|
# - <<: *if-canonical-dot-com-gitlab-org-group-schedule
|
|
# variables:
|
|
# DAST_FULL_SCAN_ENABLED: "true"
|