Configure SAST in `.gitlab-ci.yml`set-sast-config-1

1 files changed, 23 insertions, 7 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 1e94ade..4686f33 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,19 +1,24 @@
+# You can override the included template(s) by including variable overrides
+# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
+# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
+# Note that environment variables can be set in several places
+# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
 image: node:16.13.1
-
 cache:
   paths:
-    - .yarn/cache/
-
+    - ".yarn/cache"
 stages:
   - code-quality
   - test
   - build
+  - scan
 
 default:
   before_script:
     - yarn install --immutable
 
-lint:
+Run linter:
   stage: code-quality
   script:
     - yarn types
@@ -22,19 +27,19 @@ lint:
     reports:
       codequality: gl-codequality.json
 
-typecheck:
+Run static analyzer:
   stage: code-quality
   script:
     - yarn types
     - yarn typecheck:ci
 
-test:
+Run tests:
   stage: test
   script:
     - yarn test
 
 # TODO: GitlabCI free runners are only for linux - need to investigate for macos and windows artifacts
-build:
+Build:
   stage: build
   script:
     - yarn compile
@@ -45,3 +50,14 @@ build:
     exclude:
       - dist/builder-debug.yml
       - dist/builder-effective-config.yaml
+
+sast:
+  variables:
+    SAST_EXCLUDED_PATHS: spec, test, tests, tmp, .yarn, node_modules
+    SECURE_LOG_LEVEL: error
+  stage: scan
+
+include:
+  - template: Security/SAST.gitlab-ci.yml
+variables:
+  SAST_EXCLUDED_ANALYZERS: "semgrep"  # Disabling semgrep since the scan times out in GitlabCI agents