-
Notifications
You must be signed in to change notification settings - Fork 7
/
.gitlab-ci.yml
104 lines (92 loc) · 3.23 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
.merge_request:
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == "main"
terraform-fmt:
image:
name: hashicorp/terraform
entrypoint: [""]
script:
- terraform fmt -recursive -diff -check .
rules:
- !reference [.merge_request, rules]
# Scanning top level modules to avoid extreme duplication
tfsec-check-soft:
image: aquasec/tfsec-ci:v1.26.3
script:
- tfsec --no-color --soft-fail .
rules:
- !reference [.merge_request, rules]
# Add folders that should be vuln free and STAY THAT WAY
tfsec-check-enforce:
image: aquasec/tfsec-ci:v1.26.3
script:
- tfsec --no-color .
rules:
- !reference [.merge_request, rules]
include:
- template: Jobs/SAST-IaC.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
secret_detection:
allow_failure: false
variables:
SECRET_DETECTION_EXCLUDED_PATHS: 'keys.example,config/artifacts.example,public/acuant/*/opencv.min.js,tmp/0.0.0.0-3000.key'
SECRET_DETECTION_REPORT_FILE: 'gl-secret-detection-report.json'
rules:
- if: $SECRET_DETECTION_DISABLED
when: never
- if: '$CI_COMMIT_BRANCH || $CI_COMMIT_TAG'
- if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "main"
variables:
SECRET_DETECTION_LOG_OPTIONS: origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}..HEAD
- if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "main" && $CI_EXTERNAL_PULL_REQUEST_TARGET_BRANCH_NAME == "main"
variables:
SECRET_DETECTION_LOG_OPTIONS: origin/${CI_EXTERNAL_PULL_REQUEST_TARGET_BRANCH_NAME}..HEAD
before_script:
- apk add --no-cache jq
- git fetch origin --quiet
script:
- |
if [ -z "$SECRET_DETECTION_LOG_OPTIONS" ]; then
/analyzer run
if [ -f "$SECRET_DETECTION_REPORT_FILE" ]; then
# check if '{ "vulnerabilities": [], ..' is empty in the report file if it exists
if [ "$(jq ".vulnerabilities | length" $SECRET_DETECTION_REPORT_FILE)" -gt 0 ]; then
echo "Vulnerabilities detected. Please analyze the artifact $SECRET_DETECTION_REPORT_FILE produced by the 'secret-detection' job."
exit 80
fi
else
echo "Artifact $SECRET_DETECTION_REPORT_FILE does not exist. The 'secret-detection' job likely didn't create one. Hence, no evaluation can be performed."
fi
else
echo "Skipping because this is not a PR or is not targeting main"
exit 0
fi
lambda-unit-tests:
image: "$ECR_REGISTRY/ecr-public/docker/library/python:3.12.0-alpine3.18"
script:
- apk add --no-cache bash git
- ./bin/lambda-utilities/test.sh --coverage --xml
rules:
- !reference [.merge_request, rules]
- changes:
- "**/src/*"
artifacts:
reports:
coverage_report:
coverage_format: cobertura
path: coverage.xml
junit: tmp/unittest.xml
lambda-lint:
image: "$ECR_REGISTRY/ecr-public/docker/library/python:3.12.0-alpine3.18"
script:
- apk add --no-cache bash git
- ./bin/lambda-utilities/lint.sh
rules:
- !reference [.merge_request, rules]
- changes:
- "**/src/*"
variables:
ECR_REGISTRY: '${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com'