another attempt to fix conditional SAST

2025-09-26 23:44:50 -04:00 · 2025-09-26 23:44:50 -04:00 · e2bc9974a9
commit e2bc9974a9
parent 3c06f86a9d
6 changed files with 85 additions and 42 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -22,16 +22,15 @@ stages:

 # https://docs.gitlab.com/user/application_security/sast/
 include:
-  - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
+  - local: '.gitlab/ci_templates/dependency_scanning.yml'
    rules: *common-rules
-  - template: Jobs/Container-Scanning.latest.gitlab-ci.yml
+  - local: '.gitlab/ci_templates/container_scanning.yml'
    rules: *deploy-rules
-  - template: Jobs/SAST.latest.gitlab-ci.yml
+  - local: '.gitlab/ci_templates/sast.yml'
    rules: *common-rules
-  - template: Jobs/Secret-Detection.latest.gitlab-ci.yml
+  - local: '.gitlab/ci_templates/secret_detection.yml'
    rules: *common-rules
-  # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/
-  - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4
+  - local: '.gitlab/ci_templates/lib_behave.yml'
    rules: *common-rules

 variables:
@ -216,39 +215,3 @@ merge_image_manifests:
        --tags ${REGISTRY_PUSH_VERSION} \
        --template ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-ARCH \
        --target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}
-
-.sast_common: &sast_common
-  stage: test
-  # SAST tools only support x64
-  tags:
-    - amd64
-  # Don't wait for the build stage to complete, since we don't use it.
-  # https://docs.gitlab.com/ci/yaml/#needs
-  needs: []
-
-# https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job
-# https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist
-container_scanning:
-  <<: *sast_common
-  stage: deploy
-  variables:
-    AST_ENABLE_MR_PIPELINES: 'false'
-    CS_IMAGE: "${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}"
-  needs:
-    - job: merge_image_manifests
-      artifacts: true
-
-dependency_scanning:
-  <<: *sast_common
-
-sast:
-  <<: *sast_common
-
-gitlab-advanced-sast:
-  <<: *sast_common
-
-secret_detection:
-  <<: *sast_common
-
-libbehave-experiment:
-  <<: *sast_common
--- a/.gitlab/ci_templates/container_scanning.yml
+++ b/.gitlab/ci_templates/container_scanning.yml
@ -0,0 +1,20 @@
+# https://docs.gitlab.com/user/application_security/sast/
+include:
+  - template: Jobs/Container-Scanning.latest.gitlab-ci.yml
+
+# https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job
+# https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist
+container_scanning:
+  stage: deploy
+
+  # SAST tools only support x64
+  tags:
+    - amd64
+
+  variables:
+    AST_ENABLE_MR_PIPELINES: 'false'
+    CS_IMAGE: "${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}"
+
+  needs:
+    - job: merge_image_manifests
+      artifacts: true
--- a/.gitlab/ci_templates/dependency-scanning.yml
+++ b/.gitlab/ci_templates/dependency-scanning.yml
@ -0,0 +1,14 @@
+# https://docs.gitlab.com/user/application_security/sast/
+include:
+  - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
+
+dependency_scanning:
+  stage: test
+
+  # SAST tools only support x64
+  tags:
+    - amd64
+
+  # Don't wait, since this has no dependencies.
+  # https://docs.gitlab.com/ci/yaml/#needs
+  needs: []
--- a/.gitlab/ci_templates/lib_behave.yml
+++ b/.gitlab/ci_templates/lib_behave.yml
@ -0,0 +1,15 @@
+# https://docs.gitlab.com/user/application_security/sast/
+include:
+  # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/
+  - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4
+
+libbehave-experiment:
+  stage: test
+
+  # SAST tools only support x64
+  tags:
+    - amd64
+
+  # Don't wait, since this has no dependencies.
+  # https://docs.gitlab.com/ci/yaml/#needs
+  needs: []
--- a/.gitlab/ci_templates/sast.yml
+++ b/.gitlab/ci_templates/sast.yml
@ -0,0 +1,17 @@
+# https://docs.gitlab.com/user/application_security/sast/
+include:
+  - template: Jobs/SAST.latest.gitlab-ci.yml
+
+sast: &sast
+  stage: test
+
+  # SAST tools only support x64
+  tags:
+    - amd64
+
+  # Don't wait, since this has no dependencies.
+  # https://docs.gitlab.com/ci/yaml/#needs
+  needs: [ ]
+
+gitlab-advanced-sast:
+  <<: *sast
--- a/.gitlab/ci_templates/secret_detection.yml
+++ b/.gitlab/ci_templates/secret_detection.yml
@ -0,0 +1,14 @@
+# https://docs.gitlab.com/user/application_security/sast/
+include:
+  - template: Jobs/Secret-Detection.latest.gitlab-ci.yml
+
+secret_detection:
+  stage: test
+
+  # SAST tools only support x64
+  tags:
+    - amd64
+
+  # Don't wait, since this has no dependencies.
+  # https://docs.gitlab.com/ci/yaml/#needs
+  needs: [ ]