Merge branch 'set-sast-config-1' into 'master'

Configure SAST in `.gitlab-ci.yml`, creating this file if it does not already exist

See merge request aaron-riedel/shbot!10

.gitlab-ci.yml

@@ -1,61 +1,74 @@
-stages:          # List of stages for jobs, and their order of execution
+# You can override the included template(s) by including variable overrides
-  - build
+# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
-  - test
+# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
-  - deploy
+# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
-
+# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
+# Note that environment variables can be set in several places
+# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
+stages:
+- build
+- test
+- deploy
+- review
+- dast
+- staging
+- canary
+- production
+- incremental rollout 10%
+- incremental rollout 25%
+- incremental rollout 50%
+- incremental rollout 100%
+- performance
+- cleanup
 image: debian
-
 docker-build-push:
-  # Use the official docker image.
   image: docker:latest
   stage: build
   services:
-    - docker:dind
+  - docker:dind
   before_script:
-    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+  - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
-  # Default branch leaves tag empty (= latest tag)
-  # All other branches are tagged with the escaped branch name (commit ref slug)
   script:
-    - |
+  - |
-      if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
+    if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
-        tag=""
+      tag=""
-        echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
+      echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
-      else
+    else
-        tag=":$CI_COMMIT_REF_SLUG"
+      tag=":$CI_COMMIT_REF_SLUG"
-        echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
+      echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
-      fi
+    fi
-    - docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
+  - docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
-    - docker push "$CI_REGISTRY_IMAGE${tag}"
+  - docker push "$CI_REGISTRY_IMAGE${tag}"
   only:
-    - master
+  - master
-    - dev
+  - dev
-
 docker-build:
   image: docker:latest
   stage: build
   services:
-    - docker:dind
+  - docker:dind
   before_script:
-    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
+  - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
   script:
-    - docker build --pull -t "$CI_REGISTRY_IMAGE" .
+  - docker build --pull -t "$CI_REGISTRY_IMAGE" .
   except:
-    - master
+  - master
-    - dev
+  - dev
-
 before_script:
-  - apt-get update -qq
+- apt-get update -qq
-  # Setup SSH deploy keys
+- which ssh-agent || ( apt-get install -qq openssh-client )
-  - 'which ssh-agent || ( apt-get install -qq openssh-client )'
+- eval $(ssh-agent -s)
-  - eval $(ssh-agent -s)
+- ssh-add <(echo "$SSH_PRIVATE_KEY")
-  - ssh-add <(echo "$SSH_PRIVATE_KEY")
+- mkdir -p ~/.ssh
-  - mkdir -p ~/.ssh
+- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
-  - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
-  
 deploy_staging:
   stage: deploy
   script:
-    - ssh $SSH_SERVER "cd /root && docker-compose pull shbot && docker-compose up -d shbot && exit"
+  - ssh $SSH_SERVER "cd /root && docker-compose pull shbot && docker-compose up -d
+    shbot && exit"
   only:
-    - master
+  - master
-    
+sast:
+  stage: test
+include:
+- template: Auto-DevOps.gitlab-ci.yml