Commit 42bb0907 authored by Victor Zagorodny's avatar Victor Zagorodny Committed by Sean McGivern

Make SAST compatible with private dependencies

Enable the propagation of all of the job ENV
vars to the sast docker container and thus to
the analyzer containers being started by it.
This enables passing credentials for private
repos being accessed by underlying analyzers
via UI-set environment variables. Exclude a
bunch of system-related ENV vars from
propagation.
parent 462f7942
---
title: Propagate custom environment variables to SAST analyzers
merge_request: 18193
author:
type: changed
......@@ -146,7 +146,15 @@ sast:
CI_DEBUG_TRACE: "true"
```
### Using a variable to pass username and password to a private Maven repository
### Using environment variables to pass credentials for private repositories
Some analyzers require downloading the project's dependencies in order to
perform the analysis. In turn, such dependencies may live in private Git
repositories and thus require credentials like username and password to download them.
Depending on the analyzer, such credentials can be provided to
it via [custom environment variables](#custom-environment-variables).
#### Using a variable to pass username and password to a private Maven repository
If you have a private Apache Maven repository that requires login credentials,
you can use the `MAVEN_CLI_OPTS` [environment variable](#available-variables)
......@@ -234,6 +242,19 @@ Some analyzers can be customized with environment variables.
| `SBT_PATH` | spotbugs | Path to the `sbt` executable. |
| `FAIL_NEVER` | spotbugs | Set to `1` to ignore compilation failure. |
#### Custom environment variables
> [Introduced](https://gitlab.com/gitlab-org/gitlab/merge_requests/18193) in GitLab Ultimate 12.5.
In addition to the aforementioned SAST configuration variables,
all [custom environment variables](../../../ci/variables/README.md#creating-a-custom-environment-variable) are propagated
to the underlying SAST analyzer images if
[the SAST vendored template](#configuration) is used.
CAUTION: **Caution:**
Variables having names starting with these prefixes will **not** be propagated to the SAST Docker container and/or
analyzer containers: `DOCKER_`, `CI`, `GITLAB_`, `FF_`, `HOME`, `PWD`, `OLDPWD`, `PATH`, `SHLVL`, `HOSTNAME`.
## Reports JSON format
CAUTION: **Caution:**
......
......@@ -35,45 +35,12 @@ sast:
export DOCKER_HOST='tcp://localhost:2375'
fi
fi
- | # this is required to avoid undesirable reset of Docker image ENV variables being set on build stage
function propagate_env_vars() {
CURRENT_ENV=$(printenv)
for VAR_NAME; do
echo $CURRENT_ENV | grep "${VAR_NAME}=" > /dev/null && echo "--env $VAR_NAME "
done
}
- |
printenv | grep -E '^(DOCKER_|CI|GITLAB_|FF_|HOME|PWD|OLDPWD|PATH|SHLVL|HOSTNAME)' | cut -d'=' -f1 | \
(while IFS='\\n' read -r VAR; do unset -v "$VAR"; done; /bin/printenv > .env)
- |
docker run \
$(propagate_env_vars \
SAST_BANDIT_EXCLUDED_PATHS \
SAST_ANALYZER_IMAGES \
SAST_ANALYZER_IMAGE_PREFIX \
SAST_ANALYZER_IMAGE_TAG \
SAST_DEFAULT_ANALYZERS \
SAST_PULL_ANALYZER_IMAGES \
SAST_BRAKEMAN_LEVEL \
SAST_FLAWFINDER_LEVEL \
SAST_GITLEAKS_ENTROPY_LEVEL \
SAST_GOSEC_LEVEL \
SAST_EXCLUDED_PATHS \
SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
SAST_PULL_ANALYZER_IMAGE_TIMEOUT \
SAST_RUN_ANALYZER_TIMEOUT \
SAST_JAVA_VERSION \
ANT_HOME \
ANT_PATH \
GRADLE_PATH \
JAVA_OPTS \
JAVA_PATH \
JAVA_8_VERSION \
JAVA_11_VERSION \
MAVEN_CLI_OPTS \
MAVEN_PATH \
MAVEN_REPO_PATH \
SBT_PATH \
FAIL_NEVER \
) \
--env-file .env \
--volume "$PWD:/code" \
--volume /var/run/docker.sock:/var/run/docker.sock \
"registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment