From 93a9eb99804be6f8973947bd145b6d168dc1418c Mon Sep 17 00:00:00 2001 From: Victor Zagorodny Date: Fri, 1 Mar 2019 20:52:55 +0200 Subject: Add vendored CI/CD template for SAST job --- .../ci/templates/Security/SAST.gitlab-ci.yml | 46 ++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml diff --git a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml new file mode 100644 index 00000000000..92492b8ebc8 --- /dev/null +++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml @@ -0,0 +1,46 @@ +# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/sast.html +# +# Configure the scanning tool through the environment variables. +# List of the variables: https://gitlab.com/gitlab-org/security-products/sast#settings +# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables + +stages: + - test + +sast: + stage: test + image: docker:stable + variables: + DOCKER_DRIVER: overlay2 + allow_failure: true + services: + - docker:stable-dind + script: + - export SAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')} + - | + docker run \ + --env SAST_ANALYZER_IMAGES \ + --env SAST_ANALYZER_IMAGE_PREFIX \ + --env SAST_ANALYZER_IMAGE_TAG \ + --env SAST_DEFAULT_ANALYZERS \ + --env SAST_BRAKEMAN_LEVEL \ + --env SAST_GOSEC_LEVEL \ + --env SAST_FLAWFINDER_LEVEL \ + --env SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \ + --env SAST_PULL_ANALYZER_IMAGE_TIMEOUT \ + --env SAST_RUN_ANALYZER_TIMEOUT \ + --volume "$PWD:/code" \ + --volume /var/run/docker.sock:/var/run/docker.sock \ + "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code + artifacts: + reports: + sast: gl-sast-report.json + dependencies: [] + only: + refs: + - branches + variables: + - $GITLAB_FEATURES =~ /\bsast\b/ + except: + variables: + - $SAST_DISABLED -- cgit v1.2.1