include: - template: Jobs/Code-Quality.gitlab-ci.yml - template: Jobs/SAST.gitlab-ci.yml - template: Jobs/Secret-Detection.gitlab-ci.yml - template: Jobs/Dependency-Scanning.gitlab-ci.yml code_quality: extends: - .default-retry - .use-docker-in-docker - .code-quality-cache-push stage: lint # P95 duration for this job has been 14min from 2023-04-01 until 2024-04-01 timeout: 15m artifacts: paths: - gl-code-quality-report.json # GitLab-specific # extends generated values cannot overwrite values from included files # Use !reference as a workaround here rules: !reference [".reports:rules:code_quality", rules] allow_failure: true code_quality cache: image: busybox extends: - .default-retry - .reports:rules:code_quality_cache - .code-quality-cache-master-pull stage: lint needs: [] dependencies: [] allow_failure: true script: echo "This job pulls and uses the cached code quality report from the master branch to speed up docs pipelines" artifacts: reports: codequality: gl-code-quality-report.json .sast-analyzer: # We need to re-`extends` from `sast` as the `extends` here overrides the one from the template. extends: - .default-retry - sast stage: lint needs: [] artifacts: paths: - gl-sast-report.json # GitLab-specific access: 'developer' expire_in: 1 week # GitLab-specific variables: SAST_BRAKEMAN_LEVEL: 2 # GitLab-specific SAST_EXCLUDED_PATHS: "qa, spec, doc, ee/spec, config/gitlab.yml.example, tmp" # GitLab-specific SAST_EXCLUDED_ANALYZERS: bandit, flawfinder, phpcs-security-audit, pmd-apex, security-code-scan, spotbugs, eslint, nodejs-scan, sobelow semgrep-sast: rules: !reference [".reports:rules:semgrep-sast", rules] .secret-analyzer: extends: .default-retry stage: lint needs: [] artifacts: paths: - gl-secret-detection-report.json # GitLab-specific access: 'developer' expire_in: 1 week # GitLab-specific secret_detection: rules: !reference [".reports:rules:secret_detection", rules] .ds-analyzer: # We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template. extends: - .default-retry - dependency_scanning stage: lint needs: [] variables: DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp" # GitLab-specific DS_EXCLUDED_ANALYZERS: "gemnasium-maven" artifacts: paths: - gl-dependency-scanning-report.json # GitLab-specific access: 'developer' expire_in: 1 week # GitLab-specific gemnasium-dependency_scanning: variables: DS_REMEDIATE: "false" rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules] gemnasium-python-dependency_scanning: rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules] # Analyze dependencies for malicious behavior # See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter .package_hunter-base: extends: .default-retry stage: test image: name: ${REGISTRY_HOST}/${REGISTRY_GROUP}/security-products/package-hunter-cli:v3.0.1@sha256:ffa4af2810fed6922ba9d19badc4636043f54f70db19aebb8253e83142e5da16 entrypoint: [""] variables: HTR_user: '$PACKAGE_HUNTER_USER' HTR_pass: '$PACKAGE_HUNTER_PASS' needs: [] allow_failure: true before_script: - rm -r spec locale .git app/assets/images doc/ - cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/ script: - DEBUG=* node /usr/src/app/cli.js analyze --format gitlab --manager ${PACKAGE_MANAGER} gitlab.tgz | tee ${CI_PROJECT_DIR}/gl-dependency-scanning-report.json after_script: - mkdir ~/.aws - '[[ -z "${AWS_SIEM_REPORT_INGESTION_CREDENTIALS_FILE}" ]] || mv "${AWS_SIEM_REPORT_INGESTION_CREDENTIALS_FILE}" ~/.aws/credentials' - npm install --no-save --ignore-scripts @aws-sdk/client-s3@3.49.0 - scripts/ingest-reports-to-siem || true # Allow legacy report to fail as we'll remove it in the future anyway - scripts/ingest-reports-to-siem-devo artifacts: paths: - gl-dependency-scanning-report.json access: 'developer' reports: dependency_scanning: gl-dependency-scanning-report.json expire_in: 1 week package_hunter-yarn: extends: - .package_hunter-base - .reports:rules:package_hunter-yarn variables: PACKAGE_MANAGER: yarn package_hunter-bundler: extends: - .package_hunter-base - .reports:rules:package_hunter-bundler variables: PACKAGE_MANAGER: bundler xray_scan: extends: - .default-retry - .reports:rules:x-ray stage: lint needs: [] image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/code-creation/repository-x-ray:rc variables: OUTPUT_DIR: reports allow_failure: true script: - x-ray-scan -p "$CI_PROJECT_DIR" -o "$OUTPUT_DIR" artifacts: # this line uses xray_scan job output as source for GitLab Rails code gen feature reports: repository_xray: "$OUTPUT_DIR/*/*.json" # this line saves xray_scan job output in raw form for inspection for testing purposes paths: - "$OUTPUT_DIR/*/*.json" pajamas_adoption: extends: - .default-retry - .reports:rules:pajamas_adoption allow_failure: # The scanner exits with status: # - 0 when no errors occur, and no blocking findings are found; # - 1 when unexpected errors occur; # - 2 when blocking findings are found. # We only want to block the merge request in this last case. exit_codes: 1 image: ${REGISTRY_HOST}/${REGISTRY_GROUP}/frontend/pajamas-adoption-scanner:latest stage: lint needs: [] variables: FF_USE_NEW_BASH_EVAL_STRATEGY: 'true' script: - scan_gitlab_code_quality {,ee/}app/ artifacts: name: pajamas-adoption when: always paths: - gl-code-quality-report.json - pas-findings.json reports: codequality: gl-code-quality-report.json