# include: # - template: Jobs/Code-Quality.gitlab-ci.yml # - template: Security/SAST.gitlab-ci.yml # - template: Security/Dependency-Scanning.gitlab-ci.yml # - template: Security/DAST.gitlab-ci.yml # We need to duplicate this job's definition because it seems it's impossible to # override an included `only.refs`. # See https://gitlab.com/gitlab-org/gitlab/issues/31371. code_quality: extends: - .default-retry - .reports:rules:code_quality stage: test image: docker:stable allow_failure: true services: - docker:stable-dind variables: DOCKER_DRIVER: overlay2 DOCKER_TLS_CERTDIR: "" CODE_QUALITY_IMAGE: "registry.gitlab.com/gitlab-org/security-products/codequality:0.85.6" script: - | if ! docker info &>/dev/null; then if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then export DOCKER_HOST='tcp://localhost:2375' fi fi - docker pull --quiet "$CODE_QUALITY_IMAGE" - docker run --env SOURCE_CODE="$PWD" --volume "$PWD":/code --volume /var/run/docker.sock:/var/run/docker.sock "$CODE_QUALITY_IMAGE" /code artifacts: reports: codequality: gl-code-quality-report.json paths: - gl-code-quality-report.json # GitLab-specific expire_in: 1 week # GitLab-specific dependencies: [] # We need to duplicate this job's definition because it seems it's impossible to # override an included `only.refs`. # See https://gitlab.com/gitlab-org/gitlab/issues/31371. # Once https://gitlab.com/gitlab-org/gitlab/merge_requests/16487 will be deployed # to GitLab.com, we should be able to use the template and set SAST_DISABLE_DIND: "true". sast: extends: - .default-retry - .reports:rules:sast stage: test allow_failure: true dependencies: [] # GitLab-specific artifacts: paths: - gl-sast-report.json # GitLab-specific reports: sast: gl-sast-report.json expire_in: 1 week # GitLab-specific image: docker:stable variables: DOCKER_DRIVER: overlay2 DOCKER_TLS_CERTDIR: "" SAST_BRAKEMAN_LEVEL: 2 # GitLab-specific SAST_EXCLUDED_PATHS: qa,spec,doc,ee/spec # GitLab-specific services: - docker:stable-dind script: - export SAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')} - | if ! docker info &>/dev/null; then if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then export DOCKER_HOST='tcp://localhost:2375' fi fi - | ENVS=`printenv | grep -vE '^(DOCKER_|CI|GITLAB_|FF_|HOME|PWD|OLDPWD|PATH|SHLVL|HOSTNAME)' | sed -n '/^[^\t]/s/=.*//p' | sed '/^$/d' | sed 's/^/-e /g' | tr '\n' ' '` docker run "$ENVS" \ --volume "$PWD:/code" \ --volume /var/run/docker.sock:/var/run/docker.sock \ "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code # We need to duplicate this job's definition because it seems it's impossible to # override an included `only.refs`. # See https://gitlab.com/gitlab-org/gitlab/issues/31371. dependency_scanning: extends: - .default-retry - .reports:rules:dependency_scanning stage: test image: docker:stable variables: DOCKER_DRIVER: overlay2 DOCKER_TLS_CERTDIR: "" DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports,spec,ee/spec" # GitLab-specific allow_failure: true services: - docker:stable-dind script: - export DS_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')} - | if ! docker info &>/dev/null; then if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then export DOCKER_HOST='tcp://localhost:2375' fi fi - | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage function propagate_env_vars() { CURRENT_ENV=$(printenv) for VAR_NAME; do echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME " done } - | docker run \ $(propagate_env_vars \ DS_ANALYZER_IMAGES \ DS_ANALYZER_IMAGE_PREFIX \ DS_ANALYZER_IMAGE_TAG \ DS_DEFAULT_ANALYZERS \ DS_EXCLUDED_PATHS \ DS_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \ DS_PULL_ANALYZER_IMAGE_TIMEOUT \ DS_RUN_ANALYZER_TIMEOUT \ DS_PYTHON_VERSION \ DS_PIP_VERSION \ DS_PIP_DEPENDENCY_PATH \ GEMNASIUM_DB_LOCAL_PATH \ GEMNASIUM_DB_REMOTE_URL \ GEMNASIUM_DB_REF_NAME \ PIP_INDEX_URL \ PIP_EXTRA_INDEX_URL \ PIP_REQUIREMENTS_FILE \ MAVEN_CLI_OPTS \ BUNDLER_AUDIT_UPDATE_DISABLED \ BUNDLER_AUDIT_ADVISORY_DB_URL \ BUNDLER_AUDIT_ADVISORY_DB_REF_NAME \ ) \ --volume "$PWD:/code" \ --volume /var/run/docker.sock:/var/run/docker.sock \ "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$DS_VERSION" /code artifacts: paths: - gl-dependency-scanning-report.json # GitLab-specific reports: dependency_scanning: gl-dependency-scanning-report.json expire_in: 1 week # GitLab-specific dependencies: [] # We need to duplicate this job's definition because it seems it's impossible to # override an included `only.refs`. # See https://gitlab.com/gitlab-org/gitlab/issues/31371. dast: extends: - .default-retry - .reports:rules:dast needs: - job: review-deploy artifacts: true stage: qa # GitLab-specific image: name: "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION" variables: # To be done in a later iteration # DAST_USERNAME: "root" # DAST_USERNAME_FIELD: "user[login]" # DAST_PASSWORD_FIELD: "user[passowrd]" allow_failure: true script: - 'export DAST_WEBSITE="${DAST_WEBSITE:-$(cat environment_url.txt)}"' # To be done in a later iteration # - 'export DAST_AUTH_URL="${DAST_WEBSITE}/users/sign_in"' # - 'export DAST_PASSWORD="${REVIEW_APPS_ROOT_PASSWORD}"' - /analyze -t $DAST_WEBSITE artifacts: paths: - gl-dast-report.json # GitLab-specific reports: dast: gl-dast-report.json expire_in: 1 week # GitLab-specific # To be done in a later iteration: https://gitlab.com/gitlab-org/gitlab/issues/31160#note_278188255 # schedule:dast: # extends: # - dast # - .reports:schedule-dast # variables: # DAST_FULL_SCAN_ENABLED: "true"