1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
include:
- template: Jobs/Code-Quality.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/License-Scanning.gitlab-ci.yml
code_quality:
extends:
- .default-retry
- .use-docker-in-docker
artifacts:
paths:
- gl-code-quality-report.json # GitLab-specific
rules: !reference [".reports:rules:code_quality", rules]
.sast-analyzer:
# We need to re-`extends` from `sast` as the `extends` here overrides the one from the template.
extends:
- .default-retry
- sast
needs: []
artifacts:
paths:
- gl-sast-report.json # GitLab-specific
expire_in: 1 week # GitLab-specific
variables:
SAST_BRAKEMAN_LEVEL: 2 # GitLab-specific
SAST_EXCLUDED_PATHS: "qa, spec, doc, ee/spec, config/gitlab.yml.example, tmp" # GitLab-specific
SAST_EXCLUDED_ANALYZERS: bandit, flawfinder, phpcs-security-audit, pmd-apex, security-code-scan, spotbugs, eslint
brakeman-sast:
rules: !reference [".reports:rules:sast", rules]
nodejs-scan-sast:
rules: !reference [".reports:rules:sast", rules]
semgrep-sast:
rules: !reference [".reports:rules:sast", rules]
gosec-sast:
variables:
GOPATH: "$CI_PROJECT_DIR/vendor/go"
COMPILE: "false"
GOSEC_GO_PKG_PATH: "$CI_PROJECT_DIR"
SECURE_LOG_LEVEL: "debug"
before_script:
- mkdir -p $GOPATH
- cd workhorse
- go get -d ./...
- cd ..
cache:
paths:
- vendor/go
rules: !reference [".reports:rules:sast", rules]
.secret-analyzer:
extends: .default-retry
needs: []
artifacts:
paths:
- gl-secret-detection-report.json # GitLab-specific
expire_in: 1 week # GitLab-specific
secret_detection:
rules: !reference [".reports:rules:secret_detection", rules]
.ds-analyzer:
# We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template.
extends:
- .default-retry
- dependency_scanning
needs: []
variables:
DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp" # GitLab-specific
artifacts:
paths:
- gl-dependency-scanning-report.json # GitLab-specific
expire_in: 1 week # GitLab-specific
gemnasium-dependency_scanning:
before_script:
# git-lfs is needed for auto-remediation
- apk add git-lfs
after_script:
# Post-processing
- apk add jq
# Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390
- jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json
rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules]
bundler-audit-dependency_scanning:
rules: !reference [".reports:rules:bundler-audit-dependency_scanning", rules]
retire-js-dependency_scanning:
rules: !reference [".reports:rules:retire-js-dependency_scanning", rules]
gemnasium-python-dependency_scanning:
rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules]
# Analyze dependencies for malicious behavior
# See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
.package_hunter-base:
extends:
- .default-retry
stage: test
image:
name: registry.gitlab.com/gitlab-com/gl-security/security-research/package-hunter-cli:1.1.0
entrypoint: [""]
variables:
DEBUG: '*'
HTR_user: '$PACKAGE_HUNTER_USER'
HTR_pass: '$PACKAGE_HUNTER_PASS'
needs: []
allow_failure: true
before_script:
- rm -r spec locale .git app/assets/images doc/
- cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/
artifacts:
paths:
- gl-dependency-scanning-report.json
reports:
dependency_scanning: gl-dependency-scanning-report.json
expire_in: 1 week
package_hunter-yarn:
extends:
- .package_hunter-base
- .reports:rules:package_hunter-yarn
script:
- node /usr/src/app/cli.js analyze --format gitlab --manager yarn gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json
package_hunter-bundler:
extends:
- .package_hunter-base
- .reports:rules:package_hunter-bundler
script:
- node /usr/src/app/cli.js analyze --format gitlab --manager bundler gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json
license_scanning:
extends: .default-retry
needs: []
artifacts:
expire_in: 1 week # GitLab-specific
rules: !reference [".reports:rules:license_scanning", rules]
|
