Auto DevOps support for Group Security Dashboard

294d15be · Fabio Busatto · Kamil Trzciński · 07d10976 · 294d15be · 294d15be
Commit 294d15be authored Nov 19, 2018 by Fabio Busatto Committed by Kamil Trzciński Nov 19, 2018
3 changed files
--- a/changelogs/unreleased/auto-devops-support-for-group-security-dashboard.yml
+++ b/changelogs/unreleased/auto-devops-support-for-group-security-dashboard.yml
+---
+title: Auto DevOps support for Group Security Dashboard
+merge_request: 23165
+author:
+type: fixed
--- a/doc/topics/autodevops/index.md
+++ b/doc/topics/autodevops/index.md
@@ -657,6 +657,8 @@ also be customized, and you can easily use a [custom buildpack](#custom-buildpac
 | `REVIEW_DISABLED`            | From GitLab 11.0, this variable can be used to disable the `review` and the manual `review:stop` job. If the variable is present, these jobs will not be created. |
 | `DAST_DISABLED`              | From GitLab 11.0, this variable can be used to disable the `dast` job. If the variable is present, the job will not be created. |
 | `PERFORMANCE_DISABLED`       | From GitLab 11.0, this variable can be used to disable the `performance` job. If the variable is present, the job will not be created. |
+| `OLD_REPORTS_DISABLED`       | From GitLab 11.5, this variable can be used to disable the `sast` job. If the variable is present, the job will not be created. |
+| `NEW_REPORTS_DISABLED`       | From GitLab 11.5, this variable can be used to disable the `sast_dashboard` job. If the variable is present, the job will not be created. |

 TIP: **Tip:**
 Set up the replica variables using a

--- a/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml
@@ -19,6 +19,15 @@
 # * review: REVIEW_DISABLED
 # * stop_review: REVIEW_DISABLED
 #
+# The sast and sast_dashboard jobs are executed to guarantee full compatibility
+# with the group security dashboard and the security reports with old runners.
+# If you use only runners with version 11.5 or above, you can disable the sast
+# job by setting the OLD_REPORTS_DISABLED environment variable. If you use only
+# runners with version below 11.5, you can disable the sast_dashboard job by
+# setting the NEW_REPORTS_DISABLED environment variable.
+# The sast_dashboard job will be removed in the future, when the sast job will
+# use the new reports syntax.
+#
 # In order to deploy, you must have a Kubernetes cluster configured either
 # via a project integration, or via group/project variables.
 # AUTO_DEVOPS_DOMAIN must also be set as a variable at the group or project
@@ -173,6 +182,29 @@ sast:
  except:
    variables:
      - $SAST_DISABLED
+      - $OLD_REPORTS_DISABLED
+
+sast_dashboard:
+  stage: test
+  image: docker:stable
+  allow_failure: true
+  services:
+    - docker:stable-dind
+  script:
+    - setup_docker
+    - sast
+  artifacts:
+    reports:
+      sast: gl-sast-report.json
+  only:
+    refs:
+      - branches
+    variables:
+      - $GITLAB_FEATURES =~ /\bsast\b/
+  except:
+    variables:
+      - $SAST_DISABLED
+      - $NEW_REPORTS_DISABLED

 dependency_scanning:
  stage: test