👷 GitLab 高级 SAST 分析器：信任 GitLab 实例证书

xuxiaowei-cloud · Sep 20, 2024 · 010277c · 010277c
1 parent 2533401
commit 010277c
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/.gitlab/ci/free.yaml b/.gitlab/ci/free.yaml
@@ -21,6 +21,24 @@ semgrep-sast:
     # $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
     - if: $SEMGREP_SAST == "true"
 
+gitlab-advanced-sast:
+  # 自定义 GitLab 高级 SAST 分析器 运行的阶段（stage 默认值：test）
+  # https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html
+  stage: test
+  before_script:
+    - cat /etc/os-release
+    - sed -i "s#dl-cdn.alpinelinux.org#mirrors.aliyun.com#" /etc/apk/repositories
+    - apk update
+    - apk add ca-certificates openssl
+    - mkdir -p /usr/local/share/ca-certificates
+    - openssl s_client -showcerts -connect $CI_SERVER_HOST:$CI_SERVER_PORT -servername $CI_SERVER_HOST < /dev/null 2>/dev/null | openssl x509 -outform PEM > /usr/local/share/ca-certificates/$CI_SERVER_HOST.crt
+    - echo | openssl s_client -CAfile /usr/local/share/ca-certificates/$CI_SERVER_HOST.crt -connect $CI_SERVER_HOST:$CI_SERVER_PORT -servername $CI_SERVER_HOST
+    - update-ca-certificates
+  rules:
+    # 自定义 SAST 运行的条件
+    # $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $GITLAB_ADVANCED_SAST == "true"
+
 secret_detection:
   # 自定义 Secret 运行的阶段（stage 默认值：test）
   stage: test