156 lines
4.9 KiB
YAML
156 lines
4.9 KiB
YAML
include:
|
|
- template: Jobs/Code-Quality.gitlab-ci.yml
|
|
# - template: Security/SAST.gitlab-ci.yml
|
|
# - template: Security/Dependency-Scanning.gitlab-ci.yml
|
|
# - template: Security/DAST.gitlab-ci.yml
|
|
|
|
code_quality:
|
|
extends:
|
|
- .default-retry
|
|
- .use-docker-in-docker
|
|
artifacts:
|
|
paths:
|
|
- gl-code-quality-report.json # GitLab-specific
|
|
rules: !reference [".reports:rules:code_quality", rules]
|
|
|
|
# We need to duplicate this job's definition because the rules
|
|
# defined in the extended jobs rely on local YAML anchors
|
|
# (`*if-default-refs`)
|
|
.sast:
|
|
extends:
|
|
- .default-retry
|
|
- .reports:rules:sast
|
|
stage: test
|
|
# `needs: []` starts the job immediately in the pipeline
|
|
# https://docs.gitlab.com/ee/ci/yaml/README.html#needs
|
|
needs: []
|
|
artifacts:
|
|
paths:
|
|
- gl-sast-report.json # GitLab-specific
|
|
reports:
|
|
sast: gl-sast-report.json
|
|
expire_in: 1 week # GitLab-specific
|
|
variables:
|
|
DOCKER_TLS_CERTDIR: ""
|
|
SAST_ANALYZER_IMAGE_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
|
|
SAST_ANALYZER_IMAGE_TAG: 2
|
|
SAST_BRAKEMAN_LEVEL: 2 # GitLab-specific
|
|
SAST_EXCLUDED_PATHS: qa,spec,doc,ee/spec,config/gitlab.yml.example # GitLab-specific
|
|
SAST_DISABLE_BABEL: "true"
|
|
script:
|
|
- /analyzer run
|
|
|
|
brakeman-sast:
|
|
extends: .sast
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
|
|
|
|
eslint-sast:
|
|
extends: .sast
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
|
|
|
|
nodejs-scan-sast:
|
|
extends: .sast
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
|
|
|
|
secrets-sast:
|
|
extends: .sast
|
|
image:
|
|
name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:3"
|
|
artifacts:
|
|
paths:
|
|
- gl-secret-detection-report.json # GitLab-specific
|
|
reports:
|
|
sast: gl-secret-detection-report.json
|
|
expire_in: 1 week # GitLab-specific
|
|
|
|
# We need to duplicate this job's definition because the rules
|
|
# defined in the extended jobs rely on local YAML anchors
|
|
# (`*if-default-refs`)
|
|
.dependency_scanning:
|
|
extends:
|
|
- .default-retry
|
|
- .reports:rules:dependency_scanning
|
|
stage: test
|
|
needs: []
|
|
variables:
|
|
DS_MAJOR_VERSION: 2
|
|
DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec" # GitLab-specific
|
|
SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
|
|
artifacts:
|
|
paths:
|
|
- gl-dependency-scanning-report.json # GitLab-specific
|
|
reports:
|
|
dependency_scanning: gl-dependency-scanning-report.json
|
|
expire_in: 1 week # GitLab-specific
|
|
script:
|
|
- /analyzer run
|
|
|
|
dependency_scanning gemnasium:
|
|
extends: .dependency_scanning
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/gemnasium:$DS_MAJOR_VERSION"
|
|
before_script:
|
|
# git-lfs is needed for auto-remediation
|
|
- apk add git-lfs
|
|
after_script:
|
|
# Post-processing
|
|
- apk add jq
|
|
# Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390
|
|
- jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json
|
|
|
|
dependency_scanning bundler-audit:
|
|
extends: .dependency_scanning
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/bundler-audit:$DS_MAJOR_VERSION"
|
|
|
|
dependency_scanning retire-js:
|
|
extends: .dependency_scanning
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/retire.js:$DS_MAJOR_VERSION"
|
|
|
|
dependency_scanning gemnasium-python:
|
|
extends: .dependency_scanning
|
|
image:
|
|
name: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
|
|
|
|
# Analyze dependencies for malicious behavior
|
|
# See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
|
|
package_hunter:
|
|
extends:
|
|
- .reports:rules:package_hunter
|
|
stage: test
|
|
image:
|
|
name: registry.gitlab.com/gitlab-com/gl-security/security-research/package-hunter-cli:latest
|
|
entrypoint: [""]
|
|
needs: []
|
|
allow_failure: true
|
|
script:
|
|
- rm -r spec locale .git app/assets/images doc/
|
|
- cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/
|
|
- DEBUG=* HTR_user=$PACKAGE_HUNTER_USER HTR_pass=$PACKAGE_HUNTER_PASS node /usr/src/app/cli.js analyze --format gitlab gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json
|
|
artifacts:
|
|
paths:
|
|
- gl-dependency-scanning-report.json # GitLab-specific
|
|
reports:
|
|
dependency_scanning: gl-dependency-scanning-report.json
|
|
expire_in: 1 week # GitLab-specific
|
|
|
|
license_scanning:
|
|
extends:
|
|
- .default-retry
|
|
- .reports:rules:license_scanning
|
|
stage: test
|
|
image:
|
|
name: "registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:3"
|
|
entrypoint: [""]
|
|
needs: []
|
|
script:
|
|
- /run.sh analyze .
|
|
artifacts:
|
|
reports:
|
|
license_scanning: gl-license-scanning-report.json
|
|
expire_in: 1 week # GitLab-specific
|
|
dependencies: []
|