gitlabhq/gitlabhq

View on GitHub
.gitlab/ci/reports.gitlab-ci.yml

Summary

Maintainability
Test Coverage
include:
  - template: Jobs/Code-Quality.gitlab-ci.yml
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/License-Scanning.gitlab-ci.yml

code_quality:
  extends:
    - .default-retry
    - .use-docker-in-docker
  artifacts:
    paths:
      - gl-code-quality-report.json  # GitLab-specific
  rules: !reference [".reports:rules:code_quality", rules]

.sast-analyzer:
  # We need to re-`extends` from `sast` as the `extends` here overrides the one from the template.
  extends:
    - .default-retry
    - sast
  needs: []
  artifacts:
    paths:
      - gl-sast-report.json  # GitLab-specific
    expire_in: 1 week  # GitLab-specific
  variables:
    SAST_BRAKEMAN_LEVEL: 2  # GitLab-specific
    SAST_EXCLUDED_PATHS: "qa, spec, doc, ee/spec, config/gitlab.yml.example, tmp"  # GitLab-specific
    SAST_DISABLE_BABEL: "true"

brakeman-sast:
  rules: !reference [".reports:rules:sast", rules]

eslint-sast:
  rules: !reference [".reports:rules:sast", rules]

nodejs-scan-sast:
  rules: !reference [".reports:rules:sast", rules]

semgrep-sast:
  rules: !reference [".reports:rules:sast", rules]

.secret-analyzer:
  extends: .default-retry
  needs: []
  artifacts:
    paths:
      - gl-secret-detection-report.json  # GitLab-specific
    expire_in: 1 week  # GitLab-specific

secret_detection:
  rules: !reference [".reports:rules:secret_detection", rules]

.ds-analyzer:
  # We need to re-`extends` from `dependency_scanning` as the `extends` here overrides the one from the template.
  extends:
    - .default-retry
    - dependency_scanning
  needs: []
  variables:
    DS_EXCLUDED_PATHS: "qa/qa/ee/fixtures/secure_premade_reports, spec, ee/spec, tmp"  # GitLab-specific
  artifacts:
    paths:
      - gl-dependency-scanning-report.json  # GitLab-specific
    expire_in: 1 week  # GitLab-specific

gemnasium-dependency_scanning:
  before_script:
    # git-lfs is needed for auto-remediation
    - apk add git-lfs
  after_script:
    # Post-processing
    - apk add jq
    # Lower execa severity based on https://gitlab.com/gitlab-org/gitlab/-/issues/223859#note_452922390
    - jq '(.vulnerabilities[] | select (.cve == "yarn.lock:execa:gemnasium:05cfa2e8-2d0c-42c1-8894-638e2f12ff3d")).severity = "Medium"' gl-dependency-scanning-report.json > temp.json && mv temp.json gl-dependency-scanning-report.json
  rules: !reference [".reports:rules:dependency_scanning", rules]

bundler-audit-dependency_scanning:
  rules: !reference [".reports:rules:dependency_scanning", rules]

retire-js-dependency_scanning:
  rules: !reference [".reports:rules:dependency_scanning", rules]

gemnasium-python-dependency_scanning:
  rules: !reference [".reports:rules:dependency_scanning", rules]

# Analyze dependencies for malicious behavior
# See https://gitlab.com/gitlab-com/gl-security/security-research/package-hunter
package_hunter:
  extends:
    - .default-retry
    - .reports:rules:package_hunter
  stage: test
  image:
    name: registry.gitlab.com/gitlab-com/gl-security/security-research/package-hunter-cli:latest
    entrypoint: [""]
  needs: []
  allow_failure: true
  script:
    - rm -r spec locale .git app/assets/images doc/
    - cd .. && tar -I "gzip --best" -cf gitlab.tgz gitlab/
    - DEBUG=* HTR_user=$PACKAGE_HUNTER_USER HTR_pass=$PACKAGE_HUNTER_PASS node /usr/src/app/cli.js analyze --format gitlab gitlab.tgz | tee $CI_PROJECT_DIR/gl-dependency-scanning-report.json
  artifacts:
    paths:
      - gl-dependency-scanning-report.json
    reports:
      dependency_scanning: gl-dependency-scanning-report.json
    expire_in: 1 week

license_scanning:
  extends: .default-retry
  needs: []
  artifacts:
    expire_in: 1 week  # GitLab-specific
  rules: !reference [".reports:rules:license_scanning", rules]