misty.cafe/mistykey
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

promote SAST variables to top-level

Browse source
This commit is contained in:
Hazelnoot 2025-09-26 22:46:33 -04:00
parent 40b0d1a4ea
commit 4dfd21de8b
1 changed files with 18 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

35
.gitlab-ci.yml
View file

@ -12,6 +12,24 @@ include:
# https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/
- component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4
variables:
# https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast
GITLAB_ADVANCED_SAST_ENABLED: 'true'
# https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters
# https://stackoverflow.com/a/71111784
SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt'
DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories
# https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/
DS_ENFORCE_NEW_ANALYZER: 'true'
DS_MAX_DEPTH: -1
# https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/
DS_STATIC_REACHABILITY_ENABLED: true
# https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines
AST_ENABLE_MR_PIPELINES: 'true'
.common: &common .common: &common
# "only" has been removed, so we use rules. # "only" has been removed, so we use rules.
# This runs in MR pipelines *or* push to develop/stable # This runs in MR pipelines *or* push to develop/stable
@ -201,23 +219,6 @@ merge_image_manifests:
# SAST tools only support x64 # SAST tools only support x64
tags: tags:
- amd64 - amd64
variables:
# https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast
GITLAB_ADVANCED_SAST_ENABLED: 'true'
# https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters
# https://stackoverflow.com/a/71111784
SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt'
DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories
# https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/
DS_ENFORCE_NEW_ANALYZER: 'true'
DS_MAX_DEPTH: -1
# https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/
DS_STATIC_REACHABILITY_ENABLED: true
# https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines
AST_ENABLE_MR_PIPELINES: 'true'
# https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job # https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job
# https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist