diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4b921c55be..6dc4e33023 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,42 +1,3 @@ -# https://docs.gitlab.com/user/application_security/sast/ -include: - - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml - - template: Jobs/Container-Scanning.latest.gitlab-ci.yml - - template: Jobs/SAST.latest.gitlab-ci.yml - - template: Jobs/Secret-Detection.latest.gitlab-ci.yml - # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - # https://gitlab.com/gitlab-org/security-products/demos/experiments/libbehave/npm-demo/-/blob/add_dependencies/.gitlab-ci.yml?ref_type=heads#L6 - # https://stackoverflow.com/a/70360201 - - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.1.0 - rules: - - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - - -variables: - # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast - GITLAB_ADVANCED_SAST_ENABLED: 'true' - - # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters - # https://stackoverflow.com/a/71111784 - SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' - - # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ - DS_ENFORCE_NEW_ANALYZER: 'true' - DS_MAX_DEPTH: 8 - # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/ - DS_STATIC_REACHABILITY_ENABLED: true - - # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines - AST_ENABLE_MR_PIPELINES: 'true' - -# https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job -# https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist -container_scanning: - variables: - AST_ENABLE_MR_PIPELINES: 'false' - CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} - stage: deploy - stages: - test - deploy @@ -176,3 +137,41 @@ merge_image_manifests: - stable - develop - tags + +# https://docs.gitlab.com/user/application_security/sast/ +include: + - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml + - template: Jobs/Container-Scanning.latest.gitlab-ci.yml + - template: Jobs/SAST.latest.gitlab-ci.yml + - template: Jobs/Secret-Detection.latest.gitlab-ci.yml + # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ + # https://gitlab.com/gitlab-org/security-products/demos/experiments/libbehave/npm-demo/-/blob/add_dependencies/.gitlab-ci.yml?ref_type=heads#L6 + # https://stackoverflow.com/a/70360201 + - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.1.0 + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + +variables: + # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast + GITLAB_ADVANCED_SAST_ENABLED: 'true' + + # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters + # https://stackoverflow.com/a/71111784 + SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' + + # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ + DS_ENFORCE_NEW_ANALYZER: 'true' + DS_MAX_DEPTH: 8 + # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/ + DS_STATIC_REACHABILITY_ENABLED: true + + # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines + AST_ENABLE_MR_PIPELINES: 'true' + +# https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job +# https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist +container_scanning: + variables: + AST_ENABLE_MR_PIPELINES: 'false' + CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} + stage: deploy \ No newline at end of file