Propagate ENV vars to SAST and Dependency Scanning Docker containers only if they are set

2 files changed, 38 insertions, 18 deletions

diff --git a/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
index 7f80a6e9285..263221329ab 100644
--- a/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
@@ -20,16 +20,26 @@ dependency_scanning:
           export DOCKER_HOST='tcp://localhost:2375'
         fi
       fi
+    - | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
+      function propagate_env_vars() {
+        CURRENT_ENV=$(printenv)
+
+        for VAR_NAME; do
+          echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
+        done
+      }
     - |
       docker run \
-        --env DS_ANALYZER_IMAGES \
-        --env DS_ANALYZER_IMAGE_PREFIX \
-        --env DS_ANALYZER_IMAGE_TAG \
-        --env DS_DEFAULT_ANALYZERS \
-        --env DEP_SCAN_DISABLE_REMOTE_CHECKS \
-        --env DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
-        --env DS_PULL_ANALYZER_IMAGE_TIMEOUT \
-        --env DS_RUN_ANALYZER_TIMEOUT \
+        $(propagate_env_vars \
+          DS_ANALYZER_IMAGES \
+          DS_ANALYZER_IMAGE_PREFIX \
+          DS_ANALYZER_IMAGE_TAG \
+          DS_DEFAULT_ANALYZERS \
+          DEP_SCAN_DISABLE_REMOTE_CHECKS \
+          DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
+          DS_PULL_ANALYZER_IMAGE_TIMEOUT \
+          DS_RUN_ANALYZER_TIMEOUT \
+        ) \
         --volume "$PWD:/code" \
         --volume /var/run/docker.sock:/var/run/docker.sock \
         "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_VERSION" /code
diff --git a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
index b941e89991e..f0152cd4537 100644
--- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
@@ -20,18 +20,28 @@ sast:
           export DOCKER_HOST='tcp://localhost:2375'
         fi
       fi
+    - | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
+      function propagate_env_vars() {
+        CURRENT_ENV=$(printenv)
+
+        for VAR_NAME; do
+          echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
+        done
+      }
     - |
       docker run \
-        --env SAST_ANALYZER_IMAGES \
-        --env SAST_ANALYZER_IMAGE_PREFIX \
-        --env SAST_ANALYZER_IMAGE_TAG \
-        --env SAST_DEFAULT_ANALYZERS \
-        --env SAST_BRAKEMAN_LEVEL \
-        --env SAST_GOSEC_LEVEL \
-        --env SAST_FLAWFINDER_LEVEL \
-        --env SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
-        --env SAST_PULL_ANALYZER_IMAGE_TIMEOUT \
-        --env SAST_RUN_ANALYZER_TIMEOUT \
+        $(propagate_env_vars \
+          SAST_ANALYZER_IMAGES \
+          SAST_ANALYZER_IMAGE_PREFIX \
+          SAST_ANALYZER_IMAGE_TAG \
+          SAST_DEFAULT_ANALYZERS \
+          SAST_BRAKEMAN_LEVEL \
+          SAST_GOSEC_LEVEL \
+          SAST_FLAWFINDER_LEVEL \
+          SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
+          SAST_PULL_ANALYZER_IMAGE_TIMEOUT \
+          SAST_RUN_ANALYZER_TIMEOUT \
+        ) \
         --volume "$PWD:/code" \
         --volume /var/run/docker.sock:/var/run/docker.sock \
         "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code