From 7bec3e5bfa83cbe8122a67f83f48ffa4439c2e1a Mon Sep 17 00:00:00 2001 From: Vijay A Date: Mon, 10 Jan 2022 09:05:29 +0530 Subject: Configure SAST in `.gitlab-ci.yml` --- .gitlab-ci.yml | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 1e94ade..4686f33 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,19 +1,24 @@ +# You can override the included template(s) by including variable overrides +# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings +# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings +# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings +# Note that environment variables can be set in several places +# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence image: node:16.13.1 - cache: paths: - - .yarn/cache/ - + - ".yarn/cache" stages: - code-quality - test - build + - scan default: before_script: - yarn install --immutable -lint: +Run linter: stage: code-quality script: - yarn types @@ -22,19 +27,19 @@ lint: reports: codequality: gl-codequality.json -typecheck: +Run static analyzer: stage: code-quality script: - yarn types - yarn typecheck:ci -test: +Run tests: stage: test script: - yarn test # TODO: GitlabCI free runners are only for linux - need to investigate for macos and windows artifacts -build: +Build: stage: build script: - yarn compile @@ -45,3 +50,14 @@ build: exclude: - dist/builder-debug.yml - dist/builder-effective-config.yaml + +sast: + variables: + SAST_EXCLUDED_PATHS: spec, test, tests, tmp, .yarn, node_modules + SECURE_LOG_LEVEL: error + stage: scan + +include: + - template: Security/SAST.gitlab-ci.yml +variables: + SAST_EXCLUDED_ANALYZERS: "semgrep" # Disabling semgrep since the scan times out in GitlabCI agents -- cgit v1.2.3