1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
include:
- template: Jobs/Code-Quality.gitlab-ci.yml
- template: Jobs/SAST.gitlab-ci.yml
- template: Jobs/Secret-Detection.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/License-Scanning.gitlab-ci.yml
code_quality:
extends:
- .default-retry
- .use-docker-in-docker
stage: lint
artifacts:
paths:
- gl-code-quality-report.json # GitLab-specific
rules: !reference [".reports:rules:code_quality", rules]
allow_failure: true
.sast-analyzer:
# We need to re-`extends` from `sast` as the `extends` here overrides the one from the template.
extends:
- .default-retry
- sast
stage: lint
needs: []
artifacts:
paths:
- gl-sast-report.json # GitLab-specific
expire_in: 1 week # GitLab-specific
variables:
SAST_BRAKEMAN_LEVEL: 2 # GitLab-specific
SAST_EXCLUDED_PATHS: "qa, spec, doc, ee/spec, config/gitlab.yml.example, tmp" # GitLab-specific
SAST_EXCLUDED_ANALYZERS: bandit, flawfinder, phpcs-security-audit, pmd-apex, security-code-scan, spotbugs, eslint, nodejs-scan
brakeman-sast:
rules: !reference [".reports:rules:brakeman-sast", rules]
semgrep-sast:
rules: !reference [".reports:rules:semgrep-sast", rules]
gosec-sast:
variables:
GOPATH: "$CI_PROJECT_DIR/vendor/go"
COMPILE: "false"
GOSEC_GO_PKG_PATH: "$CI_PROJECT_DIR"
SECURE_LOG_LEVEL: "debug"
before_script:
- mkdir -p $GOPATH
- cd workhorse
- go get -d ./...
- cd ..
cache:
paths:
- vendor/go
rules: !reference [".reports:rules:gosec-sast", rules]
.secret-analyzer:
extends: .default-retry
stage: lint
needs: []
artifacts:
paths:
- gl-secret-detection-report.json # GitLab-specific
expire_in: 1 week # GitLab-specific
secret_detection:
rules: !reference [".reports:rules:secret_detection", rules]
.ds-analyzer:
# We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template.
extends:
- .default-retry
- dependency_scanning
stage: lint
needs: []
variables:
DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp" # GitLab-specific
DS_EXCLUDED_ANALYZERS: "gemnasium-maven"
artifacts:
paths:
- gl-dependency-scanning-report.json # GitLab-specific
expire_in: 1 week # GitLab-specific
gemnasium-dependency_scanning:
before_script:
# git-lfs is needed for auto-remediation
- apk add git-lfs
rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules]
bundler-audit-dependency_scanning:
rules: !reference [".reports:rules:bundler-audit-dependency_scanning", rules]
retire-js-dependency_scanning:
rules: !reference [".reports:rules:retire-js-dependency_scanning", rules]
gemnasium-python-dependency_scanning:
rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules]
yarn-audit-dependency_scanning:
extends: .ds-analyzer
image: "registry.gitlab.com/gitlab-org/security-products/analyzers/npm-audit:1.4.1"
variables:
TOOL: yarn
rules: !reference [".reports:rules:yarn-audit-dependency_scanning", rules]
# Analyze dependencies for malicious behavior
# See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
.package_hunter-base:
extends: .default-retry
stage: test
image:
name: registry.gitlab.com/gitlab-com/gl-security/security-research/package-hunter-cli:1.1.0
entrypoint: [""]
variables:
HTR_user: '$PACKAGE_HUNTER_USER'
HTR_pass: '$PACKAGE_HUNTER_PASS'
needs: []
allow_failure: true
before_script:
- rm -r spec locale .git app/assets/images doc/
- cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/
script:
- DEBUG=* node /usr/src/app/cli.js analyze --format gitlab --manager ${PACKAGE_MANAGER} gitlab.tgz | tee ${CI_PROJECT_DIR}/gl-dependency-scanning-report.json
after_script:
- mkdir ~/.aws
- '[[ -z "${AWS_SIEM_REPORT_INGESTION_CREDENTIALS_FILE}" ]] || mv "${AWS_SIEM_REPORT_INGESTION_CREDENTIALS_FILE}" ~/.aws/credentials'
- npm install --no-save --ignore-scripts @aws-sdk/client-s3@3.49.0
- scripts/ingest-reports-to-siem
artifacts:
paths:
- gl-dependency-scanning-report.json
reports:
dependency_scanning: gl-dependency-scanning-report.json
expire_in: 1 week
package_hunter-yarn:
extends:
- .package_hunter-base
- .reports:rules:package_hunter-yarn
variables:
PACKAGE_MANAGER: yarn
package_hunter-bundler:
extends:
- .package_hunter-base
- .reports:rules:package_hunter-bundler
variables:
PACKAGE_MANAGER: bundler
license_scanning:
extends: .default-retry
stage: lint
needs: []
artifacts:
expire_in: 1 week # GitLab-specific
rules: !reference [".reports:rules:license_scanning", rules]
|
