summaryrefslogtreecommitdiff
path: root/.gitlab/ci/reports.gitlab-ci.yml
blob: b9d2e31191a16de7196fd7c5a1dcff70eb0af52a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
include:
  - template: Jobs/Code-Quality.gitlab-ci.yml
  - template: Jobs/SAST.gitlab-ci.yml
  - template: Jobs/Secret-Detection.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/License-Scanning.gitlab-ci.yml

code_quality:
  extends:
    - .default-retry
    - .use-docker-in-docker
  stage: lint
  artifacts:
    paths:
      - gl-code-quality-report.json  # GitLab-specific
  rules: !reference [".reports:rules:code_quality", rules]
  allow_failure: true

.sast-analyzer:
  # We need to re-`extends` from `sast` as the `extends` here overrides the one from the template.
  extends:
    - .default-retry
    - sast
  stage: lint
  needs: []
  artifacts:
    paths:
      - gl-sast-report.json  # GitLab-specific
    expire_in: 1 week  # GitLab-specific
  variables:
    SAST_BRAKEMAN_LEVEL: 2  # GitLab-specific
    SAST_EXCLUDED_PATHS: "qa, spec, doc, ee/spec, config/gitlab.yml.example, tmp"  # GitLab-specific
    SAST_EXCLUDED_ANALYZERS: bandit, flawfinder, phpcs-security-audit, pmd-apex, security-code-scan, spotbugs, eslint, nodejs-scan

brakeman-sast:
  rules: !reference [".reports:rules:brakeman-sast", rules]

semgrep-sast:
  rules: !reference [".reports:rules:semgrep-sast", rules]

gosec-sast:
  variables:
    GOPATH: "$CI_PROJECT_DIR/vendor/go"
    COMPILE: "false"
    GOSEC_GO_PKG_PATH: "$CI_PROJECT_DIR"
    SECURE_LOG_LEVEL: "debug"
  before_script:
    - mkdir -p $GOPATH
    - cd workhorse
    - go get -d ./...
    - cd ..
  cache:
    paths:
      - vendor/go
  rules: !reference [".reports:rules:gosec-sast", rules]

.secret-analyzer:
  extends: .default-retry
  stage: lint
  needs: []
  artifacts:
    paths:
      - gl-secret-detection-report.json  # GitLab-specific
    expire_in: 1 week  # GitLab-specific

secret_detection:
  rules: !reference [".reports:rules:secret_detection", rules]

.ds-analyzer:
  # We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template.
  extends:
    - .default-retry
    - dependency_scanning
  stage: lint
  needs: []
  variables:
    DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp"  # GitLab-specific
    DS_EXCLUDED_ANALYZERS: "gemnasium-maven"
  artifacts:
    paths:
      - gl-dependency-scanning-report.json  # GitLab-specific
    expire_in: 1 week  # GitLab-specific

gemnasium-dependency_scanning:
  before_script:
    # git-lfs is needed for auto-remediation
    - apk add git-lfs
  rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules]

bundler-audit-dependency_scanning:
  rules: !reference [".reports:rules:bundler-audit-dependency_scanning", rules]

retire-js-dependency_scanning:
  rules: !reference [".reports:rules:retire-js-dependency_scanning", rules]

gemnasium-python-dependency_scanning:
  rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules]

yarn-audit-dependency_scanning:
  extends: .ds-analyzer
  image: "registry.gitlab.com/gitlab-org/security-products/analyzers/npm-audit:1.4.1"
  variables:
    TOOL: yarn
  rules: !reference [".reports:rules:yarn-audit-dependency_scanning", rules]

# Analyze dependencies for malicious behavior
# See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
.package_hunter-base:
  extends: .default-retry
  stage: test
  image:
    name: registry.gitlab.com/gitlab-com/gl-security/security-research/package-hunter-cli:1.1.0
    entrypoint: [""]
  variables:
    HTR_user: '$PACKAGE_HUNTER_USER'
    HTR_pass: '$PACKAGE_HUNTER_PASS'
  needs: []
  allow_failure: true
  before_script:
    - rm -r spec locale .git app/assets/images doc/
    - cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/
  script:
    - DEBUG=* node /usr/src/app/cli.js analyze --format gitlab --manager ${PACKAGE_MANAGER} gitlab.tgz | tee ${CI_PROJECT_DIR}/gl-dependency-scanning-report.json
  artifacts:
    paths:
      - gl-dependency-scanning-report.json
    reports:
      dependency_scanning: gl-dependency-scanning-report.json
    expire_in: 1 week

package_hunter-yarn:
  extends:
    - .package_hunter-base
    - .reports:rules:package_hunter-yarn
  variables:
    PACKAGE_MANAGER: yarn

package_hunter-bundler:
  extends:
    - .package_hunter-base
    - .reports:rules:package_hunter-bundler
  variables:
    PACKAGE_MANAGER: bundler

license_scanning:
  extends: .default-retry
  stage: lint
  needs: []
  artifacts:
    expire_in: 1 week  # GitLab-specific
  rules: !reference [".reports:rules:license_scanning", rules]