Merge branch 'fix-security-scans' into 'master'

Fix SAST and Dependency Scanning

See merge request gitlab-org/gitlab-shell!410

1 files changed, 13 insertions, 26 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 1e9365c..8b7c2a9 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,5 +1,7 @@
 include:
   - template: Code-Quality.gitlab-ci.yml
+  - template: Security/SAST.gitlab-ci.yml
+  - template: Security/Dependency-Scanning.gitlab-ci.yml
 
 variables:
   DOCKER_VERSION: "19.03.0"
@@ -67,32 +69,6 @@ code_quality:
   extends: .use-docker-in-docker
   rules: *workflow_rules
 
-sast:
-  extends: .use-docker-in-docker
-  allow_failure: true
-  script:
-    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
-    - docker run
-        --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
-        --volume "$PWD:/code"
-        --volume /var/run/docker.sock:/var/run/docker.sock
-        "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
-  artifacts:
-    paths: [gl-sast-report.json]
-
-dependency_scanning:
-  extends: .use-docker-in-docker
-  allow_failure: true
-  script:
-    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
-    - docker run
-        --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
-        --volume "$PWD:/code"
-        --volume /var/run/docker.sock:/var/run/docker.sock
-        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
-  artifacts:
-    paths: [gl-dependency-scanning-report.json]
-
 code_navigation:
   image: sourcegraph/lsif-go:v1
   allow_failure: true
@@ -101,3 +77,14 @@ code_navigation:
   artifacts:
     reports:
       lsif: dump.lsif
+
+# SAST
+gosec-sast:
+  rules: *workflow_rules
+
+# Dependency Scanning
+gemnasium-dependency_scanning:
+  rules: *workflow_rules
+
+bundler-audit-dependency_scanning:
+  rules: *workflow_rules
\ No newline at end of file