Merge branch 'da/add-package-hunter-job-bundler' into 'master'

Add package hunter ci job for gems See merge request gitlab-org/gitlab!62086

Merge branch 'da/add-package-hunter-job-bundler' into 'master'
Add package hunter ci job for gems See merge request gitlab-org/gitlab!62086
019c5f55 · Rémy Coutable · 8ba3b727 · 33e4e5d3 · 019c5f55 · 019c5f55
Commit 019c5f55 authored Jul 06, 2021 by Rémy Coutable
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 5 deletions

.gitlab/ci/reports.gitlab-ci.yml .gitlab/ci/reports.gitlab-ci.yml +20 -4

.gitlab/ci/rules.gitlab-ci.yml .gitlab/ci/rules.gitlab-ci.yml +9 -1

No files found.
--- a/.gitlab/ci/reports.gitlab-ci.yml
+++ b/.gitlab/ci/reports.gitlab-ci.yml
@@ -87,20 +87,22 @@ gemnasium-python-dependency_scanning:

 # Analyze dependencies for malicious behavior
 # See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
-package_hunter:
+.package_hunter-base:
  extends:
    - .default-retry
-    - .reports:rules:package_hunter
  stage: test
  image:
    name: registry.gitlab.com/gitlab-com/gl-security/security-research/package-hunter-cli:latest
    entrypoint: [""]
+  variables:
+    DEBUG: '*'
+    HTR_user: '$PACKAGE_HUNTER_USER'
+    HTR_pass: '$PACKAGE_HUNTER_PASS'
  needs: []
  allow_failure: true
-  script:
+  before_script:
    - rm -r spec locale .git app/assets/images doc/
    - cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/
-    - DEBUG=* HTR_user=$PACKAGE_HUNTER_USER HTR_pass=$PACKAGE_HUNTER_PASS node /usr/src/app/cli.js analyze --format gitlab gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json
  artifacts:
    paths:
      - gl-dependency-scanning-report.json
@@ -108,6 +110,20 @@ package_hunter:
      dependency_scanning: gl-dependency-scanning-report.json
    expire_in: 1 week

+package_hunter-yarn:
+  extends:
+    - .package_hunter-base
+    - .reports:rules:package_hunter-yarn
+  script:
+    - node /usr/src/app/cli.js analyze --format gitlab --manager yarn gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json
+
+package_hunter-bundler:
+  extends:
+    - .package_hunter-base
+    - .reports:rules:package_hunter-bundler
+  script:
+    - node /usr/src/app/cli.js analyze --format gitlab --manager bundler gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json
+
 license_scanning:
  extends: .default-retry
  needs: []

--- a/.gitlab/ci/rules.gitlab-ci.yml
+++ b/.gitlab/ci/rules.gitlab-ci.yml
@@ -1099,7 +1099,7 @@
    - <<: *if-default-branch-schedule-nightly
      allow_failure: true

-.reports:rules:package_hunter:
+.reports:rules:package_hunter-yarn:
  rules:
    - if: "$PACKAGE_HUNTER_USER == null || $PACKAGE_HUNTER_USER == ''"
      when: never
@@ -1107,6 +1107,14 @@
    - <<: *if-merge-request
      changes: ["yarn.lock"]

+.reports:rules:package_hunter-bundler:
+  rules:
+    - if: "$PACKAGE_HUNTER_USER == null || $PACKAGE_HUNTER_USER == ''"
+      when: never
+    - <<: *if-default-branch-schedule-2-hourly
+    - <<: *if-merge-request
+      changes: ["Gemfile.lock"]
+
 .reports:rules:license_scanning:
  rules:
    - if: '$LICENSE_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\blicense_scanning\b/'