From 2fecb87e89a708260fd8202cca84cdb95ad2f5eb Mon Sep 17 00:00:00 2001
From: Florian Schwab <me@ydkn.de>
Date: Sun, 7 Oct 2018 15:00:27 +0200
Subject: [PATCH] add security scans to ci pipeline

---
 .gitignore     | 20 +++--------------
 .gitlab-ci.yml | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+), 17 deletions(-)

diff --git a/.gitignore b/.gitignore
index d87d4be..d78cdb0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,17 +1,3 @@
-*.gem
-*.rbc
-.bundle
-.config
-.yardoc
-Gemfile.lock
-InstalledFiles
-_yardoc
-coverage
-doc/
-lib/bundler/man
-pkg
-rdoc
-spec/reports
-test/tmp
-test/version_tmp
-tmp
+/.bundle
+/Gemfile.lock
+/pkg
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 27cbb3f..c4fe184 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,5 +1,63 @@
+stages:
+  - build
+  - codequality
+  - security
+
+build:
+  stage: build
+  image: ruby:2.5
+  script:
+    - gem install bundler --no-ri --no-rdoc
+    - bundle update
+  artifacts:
+    paths:
+      - Gemfile.lock
+
 rubocop:
+  stage: codequality
   image: ruby:2.5
   script:
     - gem install rubocop --no-ri --no-rdoc
     - rubocop
+
+dependency_scanning:
+  stage: security
+  dependencies:
+    - build
+  image: docker:stable
+  variables:
+    DOCKER_DRIVER: overlay2
+  allow_failure: true
+  services:
+    - docker:stable-dind
+  script:
+    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
+    - docker run
+        --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
+        --volume "$PWD:/code"
+        --volume /var/run/docker.sock:/var/run/docker.sock
+        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
+  artifacts:
+    paths:
+      - gl-dependency-scanning-report.json
+
+sast:
+  stage: security
+  dependencies:
+    - build
+  image: docker:stable
+  variables:
+    DOCKER_DRIVER: overlay2
+  allow_failure: true
+  services:
+    - docker:stable-dind
+  script:
+    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
+    - docker run
+        --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
+        --volume "$PWD:/code"
+        --volume /var/run/docker.sock:/var/run/docker.sock
+        "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
+  artifacts:
+    paths:
+      - gl-sast-report.json