Skip to content

G
gitlab-ce
Commit 2074baed authored by Rémy Coutable's avatar Rémy Coutable
Browse files
Options

ci: Move 'allow_failure' from rules to jobs 

Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent bf05abda
Hide whitespace changes
Inline Side-by-side
Showing with 12 additions and 24 deletions
.gitlab/ci/dast.gitlab-ci.yml
View file @ 2074baed
...@@ -45,6 +45,7 @@ ...@@ -45,6 +45,7 @@
reports: reports:
dast: gl-dast-report.json dast: gl-dast-report.json
expire_in: 1 week # GitLab-specific expire_in: 1 week # GitLab-specific
allow_failure: true
# DAST scan with a subset of Release scan rules. # DAST scan with a subset of Release scan rules.
DAST-fullscan-ruleset1: DAST-fullscan-ruleset1:
......
.gitlab/ci/reports.gitlab-ci.yml
View file @ 2074baed
...@@ -13,6 +13,7 @@ code_quality: ...@@ -13,6 +13,7 @@ code_quality:
paths: paths:
- gl-code-quality-report.json # GitLab-specific - gl-code-quality-report.json # GitLab-specific
rules: !reference [".reports:rules:code_quality", rules] rules: !reference [".reports:rules:code_quality", rules]
allow_failure: true
.sast-analyzer: .sast-analyzer:
# We need to re-`extends` from `sast` as the `extends` here overrides the one from the template. # We need to re-`extends` from `sast` as the `extends` here overrides the one from the template.
...@@ -31,12 +32,15 @@ code_quality: ...@@ -31,12 +32,15 @@ code_quality:
brakeman-sast: brakeman-sast:
rules: !reference [".reports:rules:brakeman-sast", rules] rules: !reference [".reports:rules:brakeman-sast", rules]
allow_failure: true
nodejs-scan-sast: nodejs-scan-sast:
rules: !reference [".reports:rules:nodejs-scan-sast", rules] rules: !reference [".reports:rules:nodejs-scan-sast", rules]
allow_failure: true
semgrep-sast: semgrep-sast:
rules: !reference [".reports:rules:semgrep-sast", rules] rules: !reference [".reports:rules:semgrep-sast", rules]
allow_failure: true
gosec-sast: gosec-sast:
variables: variables:
...@@ -53,6 +57,7 @@ gosec-sast: ...@@ -53,6 +57,7 @@ gosec-sast:
paths: paths:
- vendor/go - vendor/go
rules: !reference [".reports:rules:gosec-sast", rules] rules: !reference [".reports:rules:gosec-sast", rules]
allow_failure: true
.secret-analyzer: .secret-analyzer:
extends: .default-retry extends: .default-retry
...@@ -64,6 +69,7 @@ gosec-sast: ...@@ -64,6 +69,7 @@ gosec-sast:
secret_detection: secret_detection:
rules: !reference [".reports:rules:secret_detection", rules] rules: !reference [".reports:rules:secret_detection", rules]
allow_failure: true
.ds-analyzer: .ds-analyzer:
# We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template. # We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template.
...@@ -88,15 +94,19 @@ gemnasium-dependency_scanning: ...@@ -88,15 +94,19 @@ gemnasium-dependency_scanning:
# Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390 # Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390
- jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json - jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json
rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules] rules: !reference [".reports:rules:gemnasium-dependency_scanning", rules]
allow_failure: true
bundler-audit-dependency_scanning: bundler-audit-dependency_scanning:
rules: !reference [".reports:rules:bundler-audit-dependency_scanning", rules] rules: !reference [".reports:rules:bundler-audit-dependency_scanning", rules]
allow_failure: true
retire-js-dependency_scanning: retire-js-dependency_scanning:
rules: !reference [".reports:rules:retire-js-dependency_scanning", rules] rules: !reference [".reports:rules:retire-js-dependency_scanning", rules]
allow_failure: true
gemnasium-python-dependency_scanning: gemnasium-python-dependency_scanning:
rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules] rules: !reference [".reports:rules:gemnasium-python-dependency_scanning", rules]
allow_failure: true
# Analyze dependencies for malicious behavior # Analyze dependencies for malicious behavior
# See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter # See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
...@@ -144,3 +154,4 @@ license_scanning: ...@@ -144,3 +154,4 @@ license_scanning:
artifacts: artifacts:
expire_in: 1 week # GitLab-specific expire_in: 1 week # GitLab-specific
rules: !reference [".reports:rules:license_scanning", rules] rules: !reference [".reports:rules:license_scanning", rules]
allow_failure: true
.gitlab/ci/rules.gitlab-ci.yml
View file @ 2074baed
...@@ -1192,7 +1192,6 @@ ...@@ -1192,7 +1192,6 @@
when: never when: never
- <<: *if-default-refs - <<: *if-default-refs
changes: *code-backstage-patterns changes: *code-backstage-patterns
allow_failure: true
.reports:rules:brakeman-sast: .reports:rules:brakeman-sast:
rules: rules:
...@@ -1203,7 +1202,6 @@ ...@@ -1203,7 +1202,6 @@
- changes: - changes:
- '**/*.rb' - '**/*.rb'
- '**/Gemfile' - '**/Gemfile'
allow_failure: true
.reports:rules:nodejs-scan-sast: .reports:rules:nodejs-scan-sast:
rules: rules:
...@@ -1213,7 +1211,6 @@ ...@@ -1213,7 +1211,6 @@
when: never when: never
- changes: - changes:
- '**/package.json' - '**/package.json'
allow_failure: true
.reports:rules:gosec-sast: .reports:rules:gosec-sast:
rules: rules:
...@@ -1223,7 +1220,6 @@ ...@@ -1223,7 +1220,6 @@
when: never when: never
- changes: - changes:
- '**/*.go' - '**/*.go'
allow_failure: true
.reports:rules:semgrep-sast: .reports:rules:semgrep-sast:
rules: rules:
...@@ -1239,61 +1235,42 @@ ...@@ -1239,61 +1235,42 @@
- '**/*.tsx' - '**/*.tsx'
- '**/*.c' - '**/*.c'
- '**/*.go' - '**/*.go'
allow_failure: true
.reports:rules:secret_detection: .reports:rules:secret_detection:
rules: rules:
- if: '$SECRET_DETECTION_DISABLED' - if: '$SECRET_DETECTION_DISABLED'
when: never when: never
- changes: *code-backstage-qa-patterns - changes: *code-backstage-qa-patterns
allow_failure: true
.reports:rules:gemnasium-dependency_scanning: .reports:rules:gemnasium-dependency_scanning:
rules: rules:
- if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/ || $DS_DEFAULT_ANALYZERS !~ /gemnasium([^-]|$)/' - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium([^-]|$)/ || $DS_DEFAULT_ANALYZERS !~ /gemnasium([^-]|$)/'
when: never when: never
- changes: *dependency-patterns - changes: *dependency-patterns
allow_failure: true
.reports:rules:bundler-audit-dependency_scanning: .reports:rules:bundler-audit-dependency_scanning:
rules: rules:
- if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/ || $DS_DEFAULT_ANALYZERS !~ /bundler-audit/' - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /bundler-audit/ || $DS_DEFAULT_ANALYZERS !~ /bundler-audit/'
when: never when: never
- changes: *bundler-patterns - changes: *bundler-patterns
allow_failure: true
.reports:rules:retire-js-dependency_scanning: .reports:rules:retire-js-dependency_scanning:
rules: rules:
- if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /retire.js/ || $DS_DEFAULT_ANALYZERS !~ /retire.js/' - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /retire.js/ || $DS_DEFAULT_ANALYZERS !~ /retire.js/'
when: never when: never
- changes: *nodejs-patterns - changes: *nodejs-patterns
allow_failure: true
.reports:rules:gemnasium-python-dependency_scanning: .reports:rules:gemnasium-python-dependency_scanning:
rules: rules:
- if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/ || $DS_DEFAULT_ANALYZERS !~ /gemnasium-python/' - if: '$DEPENDENCY_SCANNING_DISABLED || $GITLAB_FEATURES !~ /\bdependency_scanning\b/ || $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/ || $DS_DEFAULT_ANALYZERS !~ /gemnasium-python/'
when: never when: never
- changes: *python-patterns - changes: *python-patterns
allow_failure: true
.reports:rules:dast:
rules:
- if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
when: never
- <<: *if-dot-com-gitlab-org-merge-request
changes: *frontend-patterns
allow_failure: true
- <<: *if-dot-com-gitlab-org-merge-request
changes: *code-qa-patterns
when: manual
allow_failure: true
.reports:rules:schedule-dast: .reports:rules:schedule-dast:
rules: rules:
- if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/' - if: '$DAST_DISABLED || $GITLAB_FEATURES !~ /\bdast\b/'
when: never when: never
- <<: *if-dot-com-ee-nightly-schedule - <<: *if-dot-com-ee-nightly-schedule
allow_failure: true
.reports:rules:package_hunter-yarn: .reports:rules:package_hunter-yarn:
rules: rules:
...@@ -1316,7 +1293,6 @@ ...@@ -1316,7 +1293,6 @@
- if: '$LICENSE_MANAGEMENT_DISABLED || $GITLAB_FEATURES !~ /\blicense_scanning\b/' - if: '$LICENSE_MANAGEMENT_DISABLED || $GITLAB_FEATURES !~ /\blicense_scanning\b/'
when: never when: never
- changes: *code-backstage-qa-patterns - changes: *code-backstage-qa-patterns
allow_failure: true
################ ################
# Review rules # # Review rules #
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7