Fix: Update the gitlab static application security testing (SAST) job…

… using the Semgrep-based analyzer(Merge pull request gigascience#2063) Replaced deprecated phpcs-security-audit SAST analyzer with the latest one Implemented Smegrep to the current gitlab pipeline By default enable the sast jobs for hpcs-security-audit, together with bandit, eslint, nodejsandspot-bugs` Made the config of the stage conformance and security simpler and more concise Refs: gigascience#1867
luistoptal · Nov 12, 2024 · ea1a37c · ea1a37c
2 parents 1deb11f + 2d23770
commit ea1a37c
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 40 deletions.
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -64,7 +64,7 @@ image: docker:$DOCKER_VERSION
 
 
 include:
-  - template: Security/SAST.gitlab-ci.yml
+  - template: Jobs/SAST.gitlab-ci.yml
   - template: Jobs/Container-Scanning.gitlab-ci.yml
   - local: "ops/pipelines/gigadb-build-jobs.yml"
   - local: "ops/pipelines/gigadb-test-jobs.yml"

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 
+- Feat #1867: Update the gitlab static application security testing (SAST) job using the Semgrep-based analyzer
 - Fix #2066: Max length for attribute value set to 1000 in file admin form
 - Feat #1968: Add curators manual for operating tools on bastion server
 - Feat #1750: Switch to guzzle instead of cURL

diff --git a/gigadb/app/tools/files-url-updater/gitlab-config.yml b/gigadb/app/tools/files-url-updater/gitlab-config.yml
@@ -45,7 +45,7 @@ FilesUrlsUpdaterTest:
     - $LOCAL_COMPOSE ps
     - $LOCAL_COMPOSE run --rm updater ./vendor/bin/codecept run tests/unit
     - $LOCAL_COMPOSE run --rm updater ./vendor/bin/codecept run tests/functional
-  needs: ["container_scanning","phpcs-security-audit-sast"]
+  needs: ["container_scanning","semgrep-sast"]
   environment:
     name: dev
 
@@ -85,7 +85,7 @@ FilesUrlsUpdaterBuildStaging:
       - .ci_env
     when: always
     expire_in: 3 days
-  needs: ["FilesUrlsUpdaterTest"]
+  needs: ["semgrep-sast"]
 
 FilesUrlsUpdaterDeployStaging:
   stage: staging deploy

diff --git a/gigadb/app/tools/readme-generator/gitlab-config-test.yml b/gigadb/app/tools/readme-generator/gitlab-config-test.yml
@@ -51,6 +51,6 @@ ReadmeGeneratorTest:
     - $LOCAL_COMPOSE ps
     - $LOCAL_COMPOSE run --rm tool ./vendor/bin/codecept run tests/unit
     - $LOCAL_COMPOSE run --rm tool ./vendor/bin/codecept run tests/functional
-  needs: ["container_scanning","phpcs-security-audit-sast"]
+  needs: ["container_scanning","semgrep-sast"]
   environment:
     name: dev
diff --git a/ops/pipelines/gigadb-conformance-security-jobs.yml b/ops/pipelines/gigadb-conformance-security-jobs.yml
@@ -68,44 +68,8 @@ check_PHPDoc:
     - docker-compose run --rm gigadb
     - docker-compose run --rm test ./tests/coverage_check
 
-
-bandit-sast:
-  stage: conformance and security
-  variables:
-    SAST_DISABLED: "true"
-
-eslint-sast:
-  stage: conformance and security
-  variables:
-    SAST_DISABLED: "true"
-
-nodejs-scan-sast:
-  stage: conformance and security
-  variables:
-    SAST_DISABLED: "true"
-
-phpcs-security-audit-sast:
-  stage: conformance and security
-  rules:
-    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
-      when: never
-    - if: $SAST_EXCLUDED_ANALYZERS =~ /phpcs-security-audit/
-      when: never
-    - if: $CI_COMMIT_BRANCH || $CI_COMMIT_TAG
-      exists:
-        - '**/*.php'
-
-
 semgrep-sast:
   stage: conformance and security
-  variables:
-    SAST_DISABLED: "true"
-
-spotbugs-sast:
-  stage: conformance and security
-  variables:
-    SAST_DISABLED: "true"
-
 
 variables:
   CS_ANALYZER_IMAGE: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:6"