add security scans to ci pipeline

.gitignore

@@ -1,17 +1,3 @@
-*.gem
-*.rbc
-.bundle
-.config
-.yardoc
-Gemfile.lock
-InstalledFiles
-_yardoc
-coverage
-doc/
-lib/bundler/man
-pkg
-rdoc
-spec/reports
-test/tmp
-test/version_tmp
-tmp
+/.bundle
+/Gemfile.lock
+/pkg

.gitlab-ci.yml

@@ -1,5 +1,63 @@
+stages:
+  - build
+  - codequality
+  - security
+
+build:
+  stage: build
+  image: ruby:2.5
+  script:
+    - gem install bundler --no-ri --no-rdoc
+    - bundle update
+  artifacts:
+    paths:
+      - Gemfile.lock
+
 rubocop:
+  stage: codequality
   image: ruby:2.5
   script:
     - gem install rubocop --no-ri --no-rdoc
     - rubocop
+
+dependency_scanning:
+  stage: security
+  dependencies:
+    - build
+  image: docker:stable
+  variables:
+    DOCKER_DRIVER: overlay2
+  allow_failure: true
+  services:
+    - docker:stable-dind
+  script:
+    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
+    - docker run
+        --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
+        --volume "$PWD:/code"
+        --volume /var/run/docker.sock:/var/run/docker.sock
+        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
+  artifacts:
+    paths:
+      - gl-dependency-scanning-report.json
+
+sast:
+  stage: security
+  dependencies:
+    - build
+  image: docker:stable
+  variables:
+    DOCKER_DRIVER: overlay2
+  allow_failure: true
+  services:
+    - docker:stable-dind
+  script:
+    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
+    - docker run
+        --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
+        --volume "$PWD:/code"
+        --volume /var/run/docker.sock:/var/run/docker.sock
+        "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
+  artifacts:
+    paths:
+      - gl-sast-report.json