From c83161731b99a754f73dabe44e2c4fa08b3ade07 Mon Sep 17 00:00:00 2001 From: Aaron Riedel Date: Mon, 7 Mar 2022 10:37:09 +0000 Subject: [PATCH] Configure SAST in `.gitlab-ci.yml`, creating this file if it does not already exist --- .gitlab-ci.yml | 95 ++++++++++++++++++++++++++++---------------------- 1 file changed, 54 insertions(+), 41 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 19eb4b3..54b1dac 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,61 +1,74 @@ -stages: # List of stages for jobs, and their order of execution - - build - - test - - deploy - +# You can override the included template(s) by including variable overrides +# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings +# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings +# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings +# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings +# Note that environment variables can be set in several places +# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence +stages: +- build +- test +- deploy +- review +- dast +- staging +- canary +- production +- incremental rollout 10% +- incremental rollout 25% +- incremental rollout 50% +- incremental rollout 100% +- performance +- cleanup image: debian - docker-build-push: - # Use the official docker image. image: docker:latest stage: build services: - - docker:dind + - docker:dind before_script: - - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY - # Default branch leaves tag empty (= latest tag) - # All other branches are tagged with the escaped branch name (commit ref slug) + - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY script: - - | - if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then - tag="" - echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'" - else - tag=":$CI_COMMIT_REF_SLUG" - echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag" - fi - - docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" . - - docker push "$CI_REGISTRY_IMAGE${tag}" + - | + if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then + tag="" + echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'" + else + tag=":$CI_COMMIT_REF_SLUG" + echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag" + fi + - docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" . + - docker push "$CI_REGISTRY_IMAGE${tag}" only: - - master - - dev - + - master + - dev docker-build: image: docker:latest stage: build services: - - docker:dind + - docker:dind before_script: - - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY + - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY script: - - docker build --pull -t "$CI_REGISTRY_IMAGE" . + - docker build --pull -t "$CI_REGISTRY_IMAGE" . except: - - master - - dev - + - master + - dev before_script: - - apt-get update -qq - # Setup SSH deploy keys - - 'which ssh-agent || ( apt-get install -qq openssh-client )' - - eval $(ssh-agent -s) - - ssh-add <(echo "$SSH_PRIVATE_KEY") - - mkdir -p ~/.ssh - - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config' - +- apt-get update -qq +- which ssh-agent || ( apt-get install -qq openssh-client ) +- eval $(ssh-agent -s) +- ssh-add <(echo "$SSH_PRIVATE_KEY") +- mkdir -p ~/.ssh +- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config' deploy_staging: stage: deploy script: - - ssh $SSH_SERVER "cd /root && docker-compose pull shbot && docker-compose up -d shbot && exit" + - ssh $SSH_SERVER "cd /root && docker-compose pull shbot && docker-compose up -d + shbot && exit" only: - - master - \ No newline at end of file + - master +sast: + stage: test +include: +- template: Auto-DevOps.gitlab-ci.yml