-
Notifications
You must be signed in to change notification settings - Fork 4
/
.gitlab-ci.yml
42 lines (40 loc) · 1.8 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
include:
- template: Jobs/SAST-IaC.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
secret_detection:
allow_failure: false
variables:
SECRET_DETECTION_EXCLUDED_PATHS: 'keys.example,config/artifacts.example,public/acuant/*/opencv.min.js,tmp/0.0.0.0-3000.key'
SECRET_DETECTION_REPORT_FILE: 'gl-secret-detection-report.json'
rules:
- if: $SECRET_DETECTION_DISABLED
when: never
- if: '$CI_COMMIT_BRANCH || $CI_COMMIT_TAG'
- if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "main"
variables:
SECRET_DETECTION_LOG_OPTIONS: origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}..HEAD
- if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "main" && $CI_EXTERNAL_PULL_REQUEST_TARGET_BRANCH_NAME == "main"
variables:
SECRET_DETECTION_LOG_OPTIONS: origin/${CI_EXTERNAL_PULL_REQUEST_TARGET_BRANCH_NAME}..HEAD
before_script:
- apk add --no-cache jq
- git fetch origin --quiet
script:
- |
if [ -z "$SECRET_DETECTION_LOG_OPTIONS" ]; then
/analyzer run
if [ -f "$SECRET_DETECTION_REPORT_FILE" ]; then
# check if '{ "vulnerabilities": [], ..' is empty in the report file if it exists
if [ "$(jq ".vulnerabilities | length" $SECRET_DETECTION_REPORT_FILE)" -gt 0 ]; then
echo "Vulnerabilities detected. Please analyze the artifact $SECRET_DETECTION_REPORT_FILE produced by the 'secret-detection' job."
exit 80
fi
else
echo "Artifact $SECRET_DETECTION_REPORT_FILE does not exist. The 'secret-detection' job likely didn't create one. Hence, no evaluation can be performed."
fi
else
echo "Skipping because this is not a PR or is not targeting main"
exit 0
fi