From 2cb0e9840101511f194d904b8412aed75a0d8d1a Mon Sep 17 00:00:00 2001 From: Victor Zagorodny Date: Fri, 8 Mar 2019 03:39:35 +0000 Subject: Use vendored templates for Sec Products Update Dependency Scanning and add other templates --- .../Security/Container-Scanning.gitlab-ci.yml | 48 +++++++++++++++++ .../ci/templates/Security/DAST.gitlab-ci.yml | 60 ++++++++++++++++++++++ .../Security/Dependency-Scanning.gitlab-ci.yml | 3 -- .../Security/License-Management.gitlab-ci.yml | 27 ++++++++++ .../ci/templates/Security/SAST.gitlab-ci.yml | 43 ++++++++++++++++ 5 files changed, 178 insertions(+), 3 deletions(-) create mode 100644 lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml create mode 100644 lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml create mode 100644 lib/gitlab/ci/templates/Security/License-Management.gitlab-ci.yml create mode 100644 lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml diff --git a/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml new file mode 100644 index 00000000000..42cb452ec99 --- /dev/null +++ b/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml @@ -0,0 +1,48 @@ +# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html + +container_scanning: + stage: test + image: docker:stable + variables: + DOCKER_DRIVER: overlay2 + # Defining two new variables based on GitLab's CI/CD predefined variables + # https://docs.gitlab.com/ee/ci/variables/#predefined-environment-variables + CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG + CI_APPLICATION_TAG: $CI_COMMIT_SHA + # Prior to this, you need to have the Container Registry running for your project and setup a build job + # with at least the following steps: + # + # docker build -t $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG . + # docker push $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA + # + # Container Scanning deals with Docker images only so no need to import the project's Git repository: + GIT_STRATEGY: none + allow_failure: true + services: + - docker:stable-dind + script: + - docker run -d --name db arminc/clair-db:latest + - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1 + - apk add -U wget ca-certificates + - docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} + - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 + - mv clair-scanner_linux_amd64 clair-scanner + - chmod +x clair-scanner + - touch clair-whitelist.yml + - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done + - retries=0 + - echo "Waiting for clair daemon to start" + - while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done + - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true + artifacts: + reports: + container_scanning: gl-container-scanning-report.json + dependencies: [] + only: + refs: + - branches + variables: + - $GITLAB_FEATURES =~ /\bcontainer_scanning\b/ + except: + variables: + - $CONTAINER_SCANNING_DISABLED diff --git a/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml new file mode 100644 index 00000000000..4e708f229cd --- /dev/null +++ b/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml @@ -0,0 +1,60 @@ +# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/dast.html + +# Configure the scanning tool through the environment variables. +# List of the variables: https://gitlab.com/gitlab-org/security-products/dast#settings +# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables + +variables: + DAST_WEBSITE: http://example.com # Please edit to be your website to scan for vulnerabilities + +stages: + - build + - test + - deploy + - dast + +dast: + stage: dast + image: docker:stable + variables: + DOCKER_DRIVER: overlay2 + allow_failure: true + services: + - docker:stable-dind + before_script: + - export DAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')} + - | + function dast_run() { + docker run \ + --env DAST_TARGET_AVAILABILITY_TIMEOUT \ + --volume "$PWD:/output" \ + --volume /var/run/docker.sock:/var/run/docker.sock \ + -w /output \ + "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION" \ + /analyze -t $DAST_WEBSITE \ + "$@" + } + script: + - | + if [ -n "$DAST_AUTH_URL" ] + then + dast_run \ + --auth-url $DAST_AUTH_URL \ + --auth-username $DAST_USERNAME \ + --auth-password $DAST_PASSWORD \ + --auth-username-field $DAST_USERNAME_FIELD \ + --auth-password-field $DAST_PASSWORD_FIELD + else + dast_run + fi + artifacts: + reports: + dast: gl-dast-report.json + only: + refs: + - branches + variables: + - $GITLAB_FEATURES =~ /\bdast\b/ + except: + variables: + - $DAST_DISABLED diff --git a/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml index 805df26b957..fd666541d41 100644 --- a/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml @@ -4,9 +4,6 @@ # List of the variables: https://gitlab.com/gitlab-org/security-products/dependency-scanning#settings # How to set: https://docs.gitlab.com/ee/ci/yaml/#variables -stages: - - test - dependency_scanning: stage: test image: docker:stable diff --git a/lib/gitlab/ci/templates/Security/License-Management.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/License-Management.gitlab-ci.yml new file mode 100644 index 00000000000..0208beb35b8 --- /dev/null +++ b/lib/gitlab/ci/templates/Security/License-Management.gitlab-ci.yml @@ -0,0 +1,27 @@ +# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/license_management.html + +variables: + LICENSE_MANAGEMENT_SETUP_CMD: '' # If needed, specify a command to setup your environment with a custom package manager. + +license_management: + stage: test + image: + name: "registry.gitlab.com/gitlab-org/security-products/license-management:$CI_SERVER_VERSION_MAJOR-$CI_SERVER_VERSION_MINOR-stable" + entrypoint: [""] + variables: + SETUP_CMD: $LICENSE_MANAGEMENT_SETUP_CMD + allow_failure: true + script: + - /run.sh analyze . + artifacts: + reports: + license_management: gl-license-management-report.json + dependencies: [] + only: + refs: + - branches + variables: + - $GITLAB_FEATURES =~ /\blicense_management\b/ + except: + variables: + - $LICENSE_MANAGEMENT_DISABLED diff --git a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml new file mode 100644 index 00000000000..034fba5499c --- /dev/null +++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml @@ -0,0 +1,43 @@ +# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/sast.html +# +# Configure the scanning tool through the environment variables. +# List of the variables: https://gitlab.com/gitlab-org/security-products/sast#settings +# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables + +sast: + stage: test + image: docker:stable + variables: + DOCKER_DRIVER: overlay2 + allow_failure: true + services: + - docker:stable-dind + script: + - export SAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')} + - | + docker run \ + --env SAST_ANALYZER_IMAGES \ + --env SAST_ANALYZER_IMAGE_PREFIX \ + --env SAST_ANALYZER_IMAGE_TAG \ + --env SAST_DEFAULT_ANALYZERS \ + --env SAST_BRAKEMAN_LEVEL \ + --env SAST_GOSEC_LEVEL \ + --env SAST_FLAWFINDER_LEVEL \ + --env SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \ + --env SAST_PULL_ANALYZER_IMAGE_TIMEOUT \ + --env SAST_RUN_ANALYZER_TIMEOUT \ + --volume "$PWD:/code" \ + --volume /var/run/docker.sock:/var/run/docker.sock \ + "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code + artifacts: + reports: + sast: gl-sast-report.json + dependencies: [] + only: + refs: + - branches + variables: + - $GITLAB_FEATURES =~ /\bsast\b/ + except: + variables: + - $SAST_DISABLED -- cgit v1.2.1