Commit 5a22ceb8 authored by Nick Gaskill's avatar Nick Gaskill

Merge branch '37278-document-custom-analyzers-non-dind' into 'master'

Document custom analyzers in non-DinD setup

See merge request gitlab-org/gitlab!29121
parents 2776699a c49fe8ef
...@@ -83,8 +83,11 @@ That's needed when one totally relies on [custom analyzers](#custom-analyzers). ...@@ -83,8 +83,11 @@ That's needed when one totally relies on [custom analyzers](#custom-analyzers).
## Custom analyzers ## Custom analyzers
You can provide your own analyzers as a comma separated list of Docker images. ### Custom analyzers with Docker-in-Docker
Here's how to add `analyzers/nugget` and `analyzers/perl` to the default images.
When Docker-in-Docker for Dependency Scanning is enabled,
you can provide your own analyzers as a comma-separated list of Docker images.
Here's how to add `analyzers/nuget` and `analyzers/perl` to the default images.
In `.gitlab-ci.yml` define: In `.gitlab-ci.yml` define:
```yaml ```yaml
...@@ -92,7 +95,7 @@ include: ...@@ -92,7 +95,7 @@ include:
template: Dependency-Scanning.gitlab-ci.yml template: Dependency-Scanning.gitlab-ci.yml
variables: variables:
DS_ANALYZER_IMAGES: "my-docker-registry/analyzers/nugget,amy-docker-registry/nalyzers/perl" DS_ANALYZER_IMAGES: "my-docker-registry/analyzers/nuget,amy-docker-registry/analyzers/perl"
``` ```
The values must be the full path to the container registry images, The values must be the full path to the container registry images,
...@@ -103,6 +106,28 @@ This configuration doesn't benefit from the integrated detection step. Dependenc ...@@ -103,6 +106,28 @@ This configuration doesn't benefit from the integrated detection step. Dependenc
Scanning has to fetch and spawn each Docker image to establish whether the Scanning has to fetch and spawn each Docker image to establish whether the
custom analyzer can scan the source code. custom analyzer can scan the source code.
### Custom analyzers without Docker-in-Docker
When Docker-in-Docker for Dependency Scanning is disabled, you can provide your own analyzers by
defining CI jobs in your CI configuration. For consistency, you should suffix your custom Dependency
Scanning jobs with `-dependency_scanning`. Here's how to add a scanning job that's based on the
Docker image `my-docker-registry/analyzers/nuget` and generates a Dependency Scanning report
`gl-dependency-scanning-report.json` when `/analyzer run` is executed. Define the following in
`.gitlab-ci.yml`:
```yaml
nuget-dependency_scanning:
image:
name: "my-docker-registry/analyzers/nuget"
script:
- /analyzer run
artifacts:
reports:
dependency_scanning: gl-dependency-scanning-report.json
```
The [Security Scanner Integration](../../../development/integrations/secure.md) documentation explains how to integrate custom security scanners into GitLab.
## Analyzers data ## Analyzers data
The following table lists the data available for each official analyzer. The following table lists the data available for each official analyzer.
......
...@@ -92,7 +92,10 @@ That's needed when one totally relies on [custom analyzers](#custom-analyzers). ...@@ -92,7 +92,10 @@ That's needed when one totally relies on [custom analyzers](#custom-analyzers).
## Custom Analyzers ## Custom Analyzers
You can provide your own analyzers as a comma separated list of Docker images. ### Custom analyzers with Docker-in-Docker
When Docker-in-Docker for SAST is enabled,
you can provide your own analyzers as a comma-separated list of Docker images.
Here's how to add `analyzers/csharp` and `analyzers/perl` to the default images: Here's how to add `analyzers/csharp` and `analyzers/perl` to the default images:
In `.gitlab-ci.yml` define: In `.gitlab-ci.yml` define:
...@@ -112,8 +115,27 @@ This configuration doesn't benefit from the integrated detection step. ...@@ -112,8 +115,27 @@ This configuration doesn't benefit from the integrated detection step.
SAST has to fetch and spawn each Docker image to establish whether the SAST has to fetch and spawn each Docker image to establish whether the
custom analyzer can scan the source code. custom analyzer can scan the source code.
CAUTION: **Caution:** ### Custom analyzers without Docker-in-Docker
Custom analyzers are not spawned automatically when [Docker In Docker](index.md#disabling-docker-in-docker-for-sast) is disabled.
When Docker-in-Docker for SAST is disabled, you can provide your own analyzers by
defining CI jobs in your CI configuration. For consistency, you should suffix your custom
SAST jobs with `-sast`. Here's how to add a scanning job that's based on the
Docker image `my-docker-registry/analyzers/csharp` and generates a SAST report
`gl-sast-report.json` when `/analyzer run` is executed. Define the following in
`.gitlab-ci.yml`:
```yaml
csharp-sast:
image:
name: "my-docker-registry/analyzers/csharp"
script:
- /analyzer run
artifacts:
reports:
sast: gl-sast-report.json
```
The [Security Scanner Integration](../../../development/integrations/secure.md) documentation explains how to integrate custom security scanners into GitLab.
## Analyzers Data ## Analyzers Data
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment