Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
2cb0e984
Commit
2cb0e984
authored
Mar 08, 2019
by
Victor Zagorodny
Committed by
Stan Hu
Mar 08, 2019
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Use vendored templates for Sec Products
Update Dependency Scanning and add other templates
parent
f53b7edb
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
178 additions
and
3 deletions
+178
-3
lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
...ab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
+48
-0
lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
+60
-0
lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
...b/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
+0
-3
lib/gitlab/ci/templates/Security/License-Management.gitlab-ci.yml
...ab/ci/templates/Security/License-Management.gitlab-ci.yml
+27
-0
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+43
-0
No files found.
lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
0 → 100644
View file @
2cb0e984
# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/container_scanning.html
container_scanning
:
stage
:
test
image
:
docker:stable
variables
:
DOCKER_DRIVER
:
overlay2
# Defining two new variables based on GitLab's CI/CD predefined variables
# https://docs.gitlab.com/ee/ci/variables/#predefined-environment-variables
CI_APPLICATION_REPOSITORY
:
$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG
CI_APPLICATION_TAG
:
$CI_COMMIT_SHA
# Prior to this, you need to have the Container Registry running for your project and setup a build job
# with at least the following steps:
#
# docker build -t $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG .
# docker push $CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA
#
# Container Scanning deals with Docker images only so no need to import the project's Git repository:
GIT_STRATEGY
:
none
allow_failure
:
true
services
:
-
docker:stable-dind
script
:
-
docker run -d --name db arminc/clair-db:latest
-
docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1
-
apk add -U wget ca-certificates
-
docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
-
wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
-
mv clair-scanner_linux_amd64 clair-scanner
-
chmod +x clair-scanner
-
touch clair-whitelist.yml
-
while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
-
retries=0
-
echo "Waiting for clair daemon to start"
-
while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
-
./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} ||
true
artifacts
:
reports
:
container_scanning
:
gl-container-scanning-report.json
dependencies
:
[]
only
:
refs
:
-
branches
variables
:
-
$GITLAB_FEATURES =~ /\bcontainer_scanning\b/
except
:
variables
:
-
$CONTAINER_SCANNING_DISABLED
lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
0 → 100644
View file @
2cb0e984
# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/dast.html
# Configure the scanning tool through the environment variables.
# List of the variables: https://gitlab.com/gitlab-org/security-products/dast#settings
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
variables
:
DAST_WEBSITE
:
http://example.com
# Please edit to be your website to scan for vulnerabilities
stages
:
-
build
-
test
-
deploy
-
dast
dast
:
stage
:
dast
image
:
docker:stable
variables
:
DOCKER_DRIVER
:
overlay2
allow_failure
:
true
services
:
-
docker:stable-dind
before_script
:
-
export DAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
-
|
function dast_run() {
docker run \
--env DAST_TARGET_AVAILABILITY_TIMEOUT \
--volume "$PWD:/output" \
--volume /var/run/docker.sock:/var/run/docker.sock \
-w /output \
"registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION" \
/analyze -t $DAST_WEBSITE \
"$@"
}
script
:
-
|
if [ -n "$DAST_AUTH_URL" ]
then
dast_run \
--auth-url $DAST_AUTH_URL \
--auth-username $DAST_USERNAME \
--auth-password $DAST_PASSWORD \
--auth-username-field $DAST_USERNAME_FIELD \
--auth-password-field $DAST_PASSWORD_FIELD
else
dast_run
fi
artifacts
:
reports
:
dast
:
gl-dast-report.json
only
:
refs
:
-
branches
variables
:
-
$GITLAB_FEATURES =~ /\bdast\b/
except
:
variables
:
-
$DAST_DISABLED
lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
View file @
2cb0e984
...
...
@@ -4,9 +4,6 @@
# List of the variables: https://gitlab.com/gitlab-org/security-products/dependency-scanning#settings
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
stages
:
-
test
dependency_scanning
:
stage
:
test
image
:
docker:stable
...
...
lib/gitlab/ci/templates/Security/License-Management.gitlab-ci.yml
0 → 100644
View file @
2cb0e984
# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/license_management.html
variables
:
LICENSE_MANAGEMENT_SETUP_CMD
:
'
'
# If needed, specify a command to setup your environment with a custom package manager.
license_management
:
stage
:
test
image
:
name
:
"
registry.gitlab.com/gitlab-org/security-products/license-management:$CI_SERVER_VERSION_MAJOR-$CI_SERVER_VERSION_MINOR-stable"
entrypoint
:
[
"
"
]
variables
:
SETUP_CMD
:
$LICENSE_MANAGEMENT_SETUP_CMD
allow_failure
:
true
script
:
-
/run.sh analyze .
artifacts
:
reports
:
license_management
:
gl-license-management-report.json
dependencies
:
[]
only
:
refs
:
-
branches
variables
:
-
$GITLAB_FEATURES =~ /\blicense_management\b/
except
:
variables
:
-
$LICENSE_MANAGEMENT_DISABLED
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
0 → 100644
View file @
2cb0e984
# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/sast.html
#
# Configure the scanning tool through the environment variables.
# List of the variables: https://gitlab.com/gitlab-org/security-products/sast#settings
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables
sast
:
stage
:
test
image
:
docker:stable
variables
:
DOCKER_DRIVER
:
overlay2
allow_failure
:
true
services
:
-
docker:stable-dind
script
:
-
export SAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
-
|
docker run \
--env SAST_ANALYZER_IMAGES \
--env SAST_ANALYZER_IMAGE_PREFIX \
--env SAST_ANALYZER_IMAGE_TAG \
--env SAST_DEFAULT_ANALYZERS \
--env SAST_BRAKEMAN_LEVEL \
--env SAST_GOSEC_LEVEL \
--env SAST_FLAWFINDER_LEVEL \
--env SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
--env SAST_PULL_ANALYZER_IMAGE_TIMEOUT \
--env SAST_RUN_ANALYZER_TIMEOUT \
--volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code
artifacts
:
reports
:
sast
:
gl-sast-report.json
dependencies
:
[]
only
:
refs
:
-
branches
variables
:
-
$GITLAB_FEATURES =~ /\bsast\b/
except
:
variables
:
-
$SAST_DISABLED
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment