237 lines
7.6 KiB
YAML
237 lines
7.6 KiB
YAML
# include:
|
|
# - template: Code-Quality.gitlab-ci.yml
|
|
# - template: Security/SAST.gitlab-ci.yml
|
|
# - template: Security/Dependency-Scanning.gitlab-ci.yml
|
|
# - template: Security/DAST.gitlab-ci.yml
|
|
|
|
# We need to duplicate this job's definition because it seems it's impossible to
|
|
# override an included `only.refs`.
|
|
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
|
|
code_quality:
|
|
extends:
|
|
- .default-retry
|
|
- .default-only
|
|
- .only:changes-code-backstage
|
|
stage: test
|
|
image: docker:stable
|
|
allow_failure: true
|
|
services:
|
|
- docker:stable-dind
|
|
variables:
|
|
DOCKER_DRIVER: overlay2
|
|
DOCKER_TLS_CERTDIR: ""
|
|
CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/security-products/codequality:0.85.6"
|
|
script:
|
|
- |
|
|
if ! docker info &>/dev/null; then
|
|
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
|
|
export DOCKER_HOST='tcp://localhost:2375'
|
|
fi
|
|
fi
|
|
- docker pull --quiet "$CODE_QUALITY_IMAGE"
|
|
- docker run
|
|
--env SOURCE_CODE="$PWD"
|
|
--volume "$PWD":/code
|
|
--volume /var/run/docker.sock:/var/run/docker.sock
|
|
"$CODE_QUALITY_IMAGE" /code
|
|
artifacts:
|
|
reports:
|
|
codequality: gl-code-quality-report.json
|
|
paths:
|
|
- gl-code-quality-report.json
|
|
expire_in: 1 week
|
|
dependencies: []
|
|
except:
|
|
variables:
|
|
- $CODE_QUALITY_DISABLED
|
|
|
|
# We need to duplicate this job's definition because it seems it's impossible to
|
|
# override an included `only.refs`.
|
|
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
|
|
# Once https://gitlab.com/gitlab-org/gitlab/merge_requests/16487 will be deployed
|
|
# to GitLab.com, we should be able to use the template and set SAST_DISABLE_DIND: "true".
|
|
sast:
|
|
extends:
|
|
- .default-retry
|
|
- .default-only
|
|
- .only:changes-code-backstage-qa
|
|
stage: test
|
|
image: docker:stable
|
|
variables:
|
|
DOCKER_DRIVER: overlay2
|
|
DOCKER_TLS_CERTDIR: ""
|
|
SAST_BRAKEMAN_LEVEL: 2
|
|
SAST_EXCLUDED_PATHS: qa,spec,doc,ee/spec
|
|
allow_failure: true
|
|
services:
|
|
- docker:stable-dind
|
|
script:
|
|
- export SAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
|
|
- |
|
|
if ! docker info &>/dev/null; then
|
|
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
|
|
export DOCKER_HOST='tcp://localhost:2375'
|
|
fi
|
|
fi
|
|
- | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
|
|
function propagate_env_vars() {
|
|
CURRENT_ENV=$(printenv)
|
|
|
|
for VAR_NAME; do
|
|
echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
|
|
done
|
|
}
|
|
- |
|
|
docker run \
|
|
$(propagate_env_vars \
|
|
SAST_BANDIT_EXCLUDED_PATHS \
|
|
SAST_ANALYZER_IMAGES \
|
|
SAST_ANALYZER_IMAGE_PREFIX \
|
|
SAST_ANALYZER_IMAGE_TAG \
|
|
SAST_DEFAULT_ANALYZERS \
|
|
SAST_PULL_ANALYZER_IMAGES \
|
|
SAST_BRAKEMAN_LEVEL \
|
|
SAST_FLAWFINDER_LEVEL \
|
|
SAST_GITLEAKS_ENTROPY_LEVEL \
|
|
SAST_GOSEC_LEVEL \
|
|
SAST_EXCLUDED_PATHS \
|
|
SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
|
|
SAST_PULL_ANALYZER_IMAGE_TIMEOUT \
|
|
SAST_RUN_ANALYZER_TIMEOUT \
|
|
SAST_JAVA_VERSION \
|
|
ANT_HOME \
|
|
ANT_PATH \
|
|
GRADLE_PATH \
|
|
JAVA_OPTS \
|
|
JAVA_PATH \
|
|
JAVA_8_VERSION \
|
|
JAVA_11_VERSION \
|
|
MAVEN_CLI_OPTS \
|
|
MAVEN_PATH \
|
|
MAVEN_REPO_PATH \
|
|
SBT_PATH \
|
|
FAIL_NEVER \
|
|
) \
|
|
--volume "$PWD:/code" \
|
|
--volume /var/run/docker.sock:/var/run/docker.sock \
|
|
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code
|
|
artifacts:
|
|
expire_in: 7 days
|
|
paths:
|
|
- gl-sast-report.json
|
|
reports:
|
|
sast: gl-sast-report.json
|
|
dependencies: []
|
|
only:
|
|
variables:
|
|
- $GITLAB_FEATURES =~ /\bsast\b/
|
|
except:
|
|
variables:
|
|
- $SAST_DISABLED
|
|
|
|
# We need to duplicate this job's definition because it seems it's impossible to
|
|
# override an included `only.refs`.
|
|
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
|
|
dependency_scanning:
|
|
extends:
|
|
- .default-retry
|
|
- .default-only
|
|
- .only:changes-code-backstage-qa
|
|
stage: test
|
|
image: docker:stable
|
|
variables:
|
|
DOCKER_DRIVER: overlay2
|
|
DOCKER_TLS_CERTDIR: ""
|
|
DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports,spec,ee/spec"
|
|
allow_failure: true
|
|
services:
|
|
- docker:stable-dind
|
|
script:
|
|
- export DS_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
|
|
- |
|
|
if ! docker info &>/dev/null; then
|
|
if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
|
|
export DOCKER_HOST='tcp://localhost:2375'
|
|
fi
|
|
fi
|
|
- | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
|
|
function propagate_env_vars() {
|
|
CURRENT_ENV=$(printenv)
|
|
|
|
for VAR_NAME; do
|
|
echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
|
|
done
|
|
}
|
|
- |
|
|
docker run \
|
|
$(propagate_env_vars \
|
|
DS_ANALYZER_IMAGES \
|
|
DS_ANALYZER_IMAGE_PREFIX \
|
|
DS_ANALYZER_IMAGE_TAG \
|
|
DS_DEFAULT_ANALYZERS \
|
|
DS_EXCLUDED_PATHS \
|
|
DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
|
|
DS_PULL_ANALYZER_IMAGE_TIMEOUT \
|
|
DS_RUN_ANALYZER_TIMEOUT \
|
|
DS_PYTHON_VERSION \
|
|
DS_PIP_DEPENDENCY_PATH \
|
|
PIP_INDEX_URL \
|
|
PIP_EXTRA_INDEX_URL \
|
|
) \
|
|
--volume "$PWD:/code" \
|
|
--volume /var/run/docker.sock:/var/run/docker.sock \
|
|
"registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_VERSION" /code
|
|
artifacts:
|
|
reports:
|
|
dependency_scanning: gl-dependency-scanning-report.json
|
|
dependencies: []
|
|
only:
|
|
variables:
|
|
- $GITLAB_FEATURES =~ /\bdependency_scanning\b/
|
|
except:
|
|
variables:
|
|
- $DEPENDENCY_SCANNING_DISABLED
|
|
|
|
# We need to duplicate this job's definition because it seems it's impossible to
|
|
# override an included `only.refs`.
|
|
# See https://gitlab.com/gitlab-org/gitlab/issues/31371.
|
|
dast:
|
|
extends:
|
|
- .default-retry
|
|
- .default-only
|
|
- .only:changes-code-qa
|
|
- .only-review
|
|
stage: qa
|
|
needs: ["review-deploy"]
|
|
dependencies: ["review-deploy"]
|
|
before_script:
|
|
- export DAST_WEBSITE="$(cat review_app_url.txt)"
|
|
image:
|
|
name: "registry.gitlab.com/gitlab-org/security-products/dast:$CI_SERVER_VERSION_MAJOR-$CI_SERVER_VERSION_MINOR-stable"
|
|
variables:
|
|
# URL to scan:
|
|
# DAST_WEBSITE: https://example.com/
|
|
#
|
|
# Time limit for target availability (scan is attempted even when timeout):
|
|
# DAST_TARGET_AVAILABILITY_TIMEOUT: 60
|
|
#
|
|
# Set these variables to scan with an authenticated user:
|
|
# DAST_AUTH_URL: https://example.com/sign-in
|
|
# DAST_USERNAME: john.doe@example.com
|
|
# DAST_PASSWORD: john-doe-password
|
|
# DAST_USERNAME_FIELD: session[user] # the name of username field at the sign-in HTML form
|
|
# DAST_PASSWORD_FIELD: session[password] # the name of password field at the sign-in HTML form
|
|
# DAST_AUTH_EXCLUDE_URLS: http://example.com/sign-out,http://example.com/sign-out-2 # optional: URLs to skip during the authenticated scan; comma-separated, no spaces in between
|
|
#
|
|
# Perform ZAP Full Scan, which includes both passive and active scanning:
|
|
# DAST_FULL_SCAN_ENABLED: "true"
|
|
allow_failure: true
|
|
script:
|
|
- export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)}
|
|
- /analyze -t $DAST_WEBSITE
|
|
artifacts:
|
|
expire_in: 7 days
|
|
paths:
|
|
- gl-dast-report.json
|
|
reports:
|
|
dast: gl-dast-report.json
|