Merge branch 'e2300-sast-template' into 'master'

Migrate SAST CI template to rules syntax

See merge request gitlab-org/gitlab!31127

changelogs/unreleased/e2300-sast-template.yml

+---
+title: Migrate SAST CI template to rules syntax
+merge_request: 31127
+author:
+type: changed

ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb

@@ -8,7 +8,8 @@ describe 'SAST.gitlab-ci.yml' do
   describe 'the created pipeline' do
     let(:user) { create(:admin) }
     let(:default_branch) { 'master' }
-    let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
+    let(:files) { { 'README.txt' => '' } }
+    let(:project) { create(:project, :custom_repo, files: files) }
     let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
     let(:pipeline) { service.execute!(:push) }
     let(:build_names) { pipeline.builds.pluck(:name) }
@@ -48,33 +49,34 @@ describe 'SAST.gitlab-ci.yml' do
         end
       end
 
-      context 'when SAST_DISABLE_DIND=1' do
+      context 'when SAST_DISABLE_DIND=true' do
         before do
-          create(:ci_variable, project: project, key: 'SAST_DISABLE_DIND', value: '1')
+          create(:ci_variable, project: project, key: 'SAST_DISABLE_DIND', value: 'true')
         end
 
         describe 'language detection' do
           using RSpec::Parameterized::TableSyntax
 
-          where(:case_name, :variables, :include_build_names) do
-            'No match'             | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "" }                | %w(secrets-sast)
-            'Apex'                 | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "apex" }            | %w(pmd-apex-sast secrets-sast)
-            'C'                    | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "c" }               | %w(flawfinder-sast secrets-sast)
-            'C++'                  | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "c++" }             | %w(flawfinder-sast secrets-sast)
-            'C#'                   | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "c#" }              | %w(security-code-scan-sast secrets-sast)
-            'Elixir'               | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "elixir" }          | %w(sobelow-sast secrets-sast)
-            'Golang'               | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "go" }              | %w(gosec-sast secrets-sast)
-            'Groovy'               | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "groovy" }          | %w(spotbugs-sast secrets-sast)
-            'Java'                 | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "java" }            | %w(spotbugs-sast secrets-sast)
-            'Javascript'           | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "javascript" }      | %w(eslint-sast nodejs-scan-sast secrets-sast)
-            'Kubernetes Manifests' | { "SCAN_KUBERNETES_MANIFESTS" => "true" }                  | %w(kubesec-sast secrets-sast)
-            'Multiple languages'   | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "java,javascript" } | %w(eslint-sast nodejs-scan-sast spotbugs-sast secrets-sast)
-            'PHP'                  | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "php" }             | %w(phpcs-security-audit-sast secrets-sast)
-            'Python'               | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "python" }          | %w(bandit-sast secrets-sast)
-            'Ruby'                 | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "ruby" }            | %w(brakeman-sast secrets-sast)
-            'Scala'                | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "scala" }           | %w(spotbugs-sast secrets-sast)
-            'Typescript'           | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "typescript" }      | %w(tslint-sast secrets-sast)
-            'Visual Basic'         | { "CI_PROJECT_REPOSITORY_LANGUAGES" => "visual basic" }    | %w(security-code-scan-sast secrets-sast)
+          where(:case_name, :files, :variables, :include_build_names) do
+            'No match'             | { 'README.md' => '' }                | {}                                        | %w(secrets-sast)
+            'Apex'                 | { 'app.cls' => '' }                  | {}                                        | %w(pmd-apex-sast secrets-sast)
+            'C'                    | { 'app.c' => '' }                    | {}                                        | %w(flawfinder-sast secrets-sast)
+            'C++'                  | { 'app.cpp' => '' }                  | {}                                        | %w(flawfinder-sast secrets-sast)
+            'C#'                   | { 'app.csproj' => '' }               | {}                                        | %w(security-code-scan-sast secrets-sast)
+            'Elixir'               | { 'mix.ex' => '' }                   | {}                                        | %w(sobelow-sast secrets-sast)
+            'Golang'               | { 'main.go' => '' }                  | {}                                        | %w(gosec-sast secrets-sast)
+            'Groovy'               | { 'app.groovy' => '' }               | {}                                        | %w(spotbugs-sast secrets-sast)
+            'Java'                 | { 'app.java' => '' }                 | {}                                        | %w(spotbugs-sast secrets-sast)
+            'Javascript'           | { 'app.js' => '' }                   | {}                                        | %w(eslint-sast nodejs-scan-sast secrets-sast)
+            'HTML'                 | { 'index.html' => '' }               | {}                                        | %w(eslint-sast secrets-sast)
+            'Kubernetes Manifests' | { 'Chart.yaml' => '' }               | { 'SCAN_KUBERNETES_MANIFESTS' => 'true' } | %w(kubesec-sast secrets-sast)
+            'Multiple languages'   | { 'app.java' => '', 'app.js' => '' } | {}                                        | %w(eslint-sast nodejs-scan-sast spotbugs-sast secrets-sast)
+            'PHP'                  | { 'app.php' => '' }                  | {}                                        | %w(phpcs-security-audit-sast secrets-sast)
+            'Python'               | { 'app.py' => '' }                   | {}                                        | %w(bandit-sast secrets-sast)
+            'Ruby'                 | { 'application.rb' => '' }           | {}                                        | %w(brakeman-sast secrets-sast)
+            'Scala'                | { 'app.scala' => '' }                | {}                                        | %w(spotbugs-sast secrets-sast)
+            'Typescript'           | { 'app.ts' => '' }                   | {}                                        | %w(tslint-sast secrets-sast)
+            'Visual Basic'         | { 'app.vbproj' => '' }               | {}                                        | %w(security-code-scan-sast secrets-sast)
           end
 
           with_them do

lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml

@@ -23,11 +23,10 @@ sast:
   artifacts:
     reports:
       sast: gl-sast-report.json
-  only:
-    refs:
-      - branches
-    variables:
-      - $GITLAB_FEATURES =~ /\bsast\b/
+  rules:
+    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'true'
+      when: never
+    - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast\b/
   image: docker:stable
   variables:
     SEARCH_MAX_DEPTH: 4
@@ -48,18 +47,15 @@ sast:
         --volume "$PWD:/code" \
         --volume /var/run/docker.sock:/var/run/docker.sock \
         "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_ANALYZER_IMAGE_TAG" /app/bin/run /code
-  except:
-    variables:
-      - $SAST_DISABLED
-      - $SAST_DISABLE_DIND == 'true'
 
 .sast-analyzer:
   extends: sast
   services: []
-  except:
-    variables:
-      - $SAST_DISABLED
-      - $SAST_DISABLE_DIND == 'false'
+  rules:
+    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast\b/
   script:
     - /analyzer run
 
@@ -67,49 +63,65 @@ bandit-sast:
   extends: .sast-analyzer
   image:
     name: "$SAST_ANALYZER_IMAGE_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
-  only:
-    variables:
-      - $GITLAB_FEATURES =~ /\bsast\b/ &&
-          $SAST_DEFAULT_ANALYZERS =~ /bandit/&&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bpython\b/
+  rules:
+    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast\b/ &&
+          $SAST_DEFAULT_ANALYZERS =~ /bandit/
+      exists:
+        - '**/*.py'
 
 brakeman-sast:
   extends: .sast-analyzer
   image:
     name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
-  only:
-    variables:
-      - $GITLAB_FEATURES =~ /\bsast\b/ &&
-          $SAST_DEFAULT_ANALYZERS =~ /brakeman/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bruby\b/
+  rules:
+    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast\b/ &&
+          $SAST_DEFAULT_ANALYZERS =~ /brakeman/
+      exists:
+        - '**/*.rb'
 
 eslint-sast:
   extends: .sast-analyzer
   image:
     name: "$SAST_ANALYZER_IMAGE_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
-  only:
-    variables:
-      - $GITLAB_FEATURES =~ /\bsast\b/ &&
-          $SAST_DEFAULT_ANALYZERS =~ /eslint/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/
+  rules:
+    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast\b/ &&
+          $SAST_DEFAULT_ANALYZERS =~ /eslint/
+      exists:
+        - '**/*.html'
+        - '**/*.js'
 
 flawfinder-sast:
   extends: .sast-analyzer
   image:
     name: "$SAST_ANALYZER_IMAGE_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
-  only:
-    variables:
-      - $GITLAB_FEATURES =~ /\bsast\b/ &&
-          $SAST_DEFAULT_ANALYZERS =~ /flawfinder/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /(c(\+\+)?,)|(c(\+\+)?$)/
+  rules:
+    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast\b/ &&
+          $SAST_DEFAULT_ANALYZERS =~ /flawfinder/
+      exists:
+        - '**/*.c'
+        - '**/*.cpp'
 
 kubesec-sast:
   extends: .sast-analyzer
   image:
     name: "$SAST_ANALYZER_IMAGE_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
-  only:
-    variables:
-      - $GITLAB_FEATURES =~ /\bsast\b/ &&
+  rules:
+    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast\b/ &&
           $SAST_DEFAULT_ANALYZERS =~ /kubesec/ &&
           $SCAN_KUBERNETES_MANIFESTS == 'true'
 
@@ -117,87 +129,117 @@ gosec-sast:
   extends: .sast-analyzer
   image:
     name: "$SAST_ANALYZER_IMAGE_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
-  only:
-    variables:
-      - $GITLAB_FEATURES =~ /\bsast\b/ &&
-          $SAST_DEFAULT_ANALYZERS =~ /gosec/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bgo\b/
+  rules:
+    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast\b/ &&
+          $SAST_DEFAULT_ANALYZERS =~ /gosec/
+      exists:
+        - '**/*.go'
 
 nodejs-scan-sast:
   extends: .sast-analyzer
   image:
     name: "$SAST_ANALYZER_IMAGE_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
-  only:
-    variables:
-      - $GITLAB_FEATURES =~ /\bsast\b/ &&
-          $SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bjavascript\b/
+  rules:
+    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast\b/ &&
+          $SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/
+      exists:
+        - '**/*.js'
 
 phpcs-security-audit-sast:
   extends: .sast-analyzer
   image:
     name: "$SAST_ANALYZER_IMAGE_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
-  only:
-    variables:
-      - $GITLAB_FEATURES =~ /\bsast\b/ &&
-          $SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bphp\b/
+  rules:
+    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast\b/ &&
+          $SAST_DEFAULT_ANALYZERS =~ /phpcs-security-audit/
+      exists:
+        - '**/*.php'
 
 pmd-apex-sast:
   extends: .sast-analyzer
   image:
     name: "$SAST_ANALYZER_IMAGE_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
-  only:
-    variables:
-      - $GITLAB_FEATURES =~ /\bsast\b/ &&
-          $SAST_DEFAULT_ANALYZERS =~ /pmd-apex/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\bapex\b/
+  rules:
+    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast\b/ &&
+          $SAST_DEFAULT_ANALYZERS =~ /pmd-apex/
+      exists:
+        - '**/*.cls'
 
 secrets-sast:
   extends: .sast-analyzer
   image:
     name: "$SAST_ANALYZER_IMAGE_PREFIX/secrets:$SAST_ANALYZER_IMAGE_TAG"
-  only:
-    variables:
-      - $GITLAB_FEATURES =~ /\bsast\b/ &&
+  rules:
+    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast\b/ &&
           $SAST_DEFAULT_ANALYZERS =~ /secrets/
 
 security-code-scan-sast:
   extends: .sast-analyzer
   image:
     name: "$SAST_ANALYZER_IMAGE_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
-  only:
-    variables:
-      - $GITLAB_FEATURES =~ /\bsast\b/ &&
-          $SAST_DEFAULT_ANALYZERS =~ /security-code-scan/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(c\#|visual basic\b)/
+  rules:
+    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast\b/ &&
+          $SAST_DEFAULT_ANALYZERS =~ /security-code-scan/
+      exists:
+        - '**/*.csproj'
+        - '**/*.vbproj'
 
 sobelow-sast:
   extends: .sast-analyzer
   image:
     name: "$SAST_ANALYZER_IMAGE_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
-  only:
-    variables:
-      - $GITLAB_FEATURES =~ /\bsast\b/ &&
-          $SAST_DEFAULT_ANALYZERS =~ /sobelow/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\belixir\b/
+  rules:
+    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast\b/ &&
+          $SAST_DEFAULT_ANALYZERS =~ /sobelow/
+      exists:
+        - '**/*.ex'
+        - '**/*.exs'
 
 spotbugs-sast:
   extends: .sast-analyzer
   image:
     name: "$SAST_ANALYZER_IMAGE_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
-  only:
-    variables:
-      - $GITLAB_FEATURES =~ /\bsast\b/ &&
-          $SAST_DEFAULT_ANALYZERS =~ /spotbugs/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\b(groovy|java|scala)\b/
+  rules:
+    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast\b/ &&
+          $SAST_DEFAULT_ANALYZERS =~ /spotbugs/
+      exists:
+        - '**/*.groovy'
+        - '**/*.java'
+        - '**/*.scala'
 
 tslint-sast:
   extends: .sast-analyzer
   image:
     name: "$SAST_ANALYZER_IMAGE_PREFIX/tslint:$SAST_ANALYZER_IMAGE_TAG"
-  only:
-    variables:
-      - $GITLAB_FEATURES =~ /\bsast\b/ &&
-          $SAST_DEFAULT_ANALYZERS =~ /tslint/ &&
-          $CI_PROJECT_REPOSITORY_LANGUAGES =~ /\btypescript\b/
+  rules:
+    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast\b/ &&
+          $SAST_DEFAULT_ANALYZERS =~ /tslint/
+      exists:
+        - '**/*.ts'