From dd5aa53b0684ff6e8cff61e43fa20ebcbd1a0386 Mon Sep 17 00:00:00 2001 From: kencho Date: Mon, 14 Oct 2024 09:54:06 +0800 Subject: [PATCH 1/6] refactor: enable SAST after update the template --- .gitlab-ci.yml | 2 +- ops/pipelines/gigadb-conformance-security-jobs.yml | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9be93e96f4..a39172cf74 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -64,7 +64,7 @@ image: docker:$DOCKER_VERSION include: - - template: Security/SAST.gitlab-ci.yml + - template: Jobs/SAST.gitlab-ci.yml - template: Jobs/Container-Scanning.gitlab-ci.yml - local: "ops/pipelines/gigadb-build-jobs.yml" - local: "ops/pipelines/gigadb-test-jobs.yml" diff --git a/ops/pipelines/gigadb-conformance-security-jobs.yml b/ops/pipelines/gigadb-conformance-security-jobs.yml index 11d65af286..957e75ae48 100644 --- a/ops/pipelines/gigadb-conformance-security-jobs.yml +++ b/ops/pipelines/gigadb-conformance-security-jobs.yml @@ -95,11 +95,14 @@ phpcs-security-audit-sast: exists: - '**/*.php' - semgrep-sast: stage: conformance and security - variables: - SAST_DISABLED: "true" + artifacts: + untracked: true + when: always + expire_in: 1 week + reports: + sast: gl-sast-report.json spotbugs-sast: stage: conformance and security From e6916e38c41057a339d3870f546ab7bb130103b4 Mon Sep 17 00:00:00 2001 From: kencho Date: Mon, 14 Oct 2024 13:39:01 +0800 Subject: [PATCH 2/6] refactor: exclude extra scanners --- .../gigadb-conformance-security-jobs.yml | 37 +------------------ 1 file changed, 2 insertions(+), 35 deletions(-) diff --git a/ops/pipelines/gigadb-conformance-security-jobs.yml b/ops/pipelines/gigadb-conformance-security-jobs.yml index 957e75ae48..856a29df7f 100644 --- a/ops/pipelines/gigadb-conformance-security-jobs.yml +++ b/ops/pipelines/gigadb-conformance-security-jobs.yml @@ -68,47 +68,14 @@ check_PHPDoc: - docker-compose run --rm gigadb - docker-compose run --rm test ./tests/coverage_check - -bandit-sast: - stage: conformance and security - variables: - SAST_DISABLED: "true" - -eslint-sast: - stage: conformance and security - variables: - SAST_DISABLED: "true" - -nodejs-scan-sast: - stage: conformance and security - variables: - SAST_DISABLED: "true" - -phpcs-security-audit-sast: - stage: conformance and security - rules: - - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1' - when: never - - if: $SAST_EXCLUDED_ANALYZERS =~ /phpcs-security-audit/ - when: never - - if: $CI_COMMIT_BRANCH || $CI_COMMIT_TAG - exists: - - '**/*.php' - semgrep-sast: stage: conformance and security + variables: + SAST_EXCLUDED_ANALYZERS: "spotbugs, bandit, eslint, nodejs-scan" artifacts: untracked: true when: always expire_in: 1 week - reports: - sast: gl-sast-report.json - -spotbugs-sast: - stage: conformance and security - variables: - SAST_DISABLED: "true" - variables: CS_ANALYZER_IMAGE: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:6" From 30c60d4088af4684054bf38433dd9b158c6ffc8f Mon Sep 17 00:00:00 2001 From: kencho Date: Mon, 14 Oct 2024 14:14:59 +0800 Subject: [PATCH 3/6] refactor: replace phpcs-security-audit-sast to semgrep-sast --- gigadb/app/tools/files-url-updater/gitlab-config.yml | 4 ++-- gigadb/app/tools/readme-generator/gitlab-config-test.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/gigadb/app/tools/files-url-updater/gitlab-config.yml b/gigadb/app/tools/files-url-updater/gitlab-config.yml index 8bc0e065b3..4be99ccb0b 100644 --- a/gigadb/app/tools/files-url-updater/gitlab-config.yml +++ b/gigadb/app/tools/files-url-updater/gitlab-config.yml @@ -45,7 +45,7 @@ FilesUrlsUpdaterTest: - $LOCAL_COMPOSE ps - $LOCAL_COMPOSE run --rm updater ./vendor/bin/codecept run tests/unit - $LOCAL_COMPOSE run --rm updater ./vendor/bin/codecept run tests/functional - needs: ["container_scanning","phpcs-security-audit-sast"] + needs: ["container_scanning","semgrep-sast"] environment: name: dev @@ -85,7 +85,7 @@ FilesUrlsUpdaterBuildStaging: - .ci_env when: always expire_in: 3 days - needs: ["FilesUrlsUpdaterTest"] + needs: ["semgrep-sast"] FilesUrlsUpdaterDeployStaging: stage: staging deploy diff --git a/gigadb/app/tools/readme-generator/gitlab-config-test.yml b/gigadb/app/tools/readme-generator/gitlab-config-test.yml index 4a505d2e00..bee99a0691 100644 --- a/gigadb/app/tools/readme-generator/gitlab-config-test.yml +++ b/gigadb/app/tools/readme-generator/gitlab-config-test.yml @@ -51,6 +51,6 @@ ReadmeGeneratorTest: - $LOCAL_COMPOSE ps - $LOCAL_COMPOSE run --rm tool ./vendor/bin/codecept run tests/unit - $LOCAL_COMPOSE run --rm tool ./vendor/bin/codecept run tests/functional - needs: ["container_scanning","phpcs-security-audit-sast"] + needs: ["container_scanning","semgrep-sast"] environment: name: dev From 8c38822d236a26fbb0f9dee8e6512de632ffba4d Mon Sep 17 00:00:00 2001 From: kencho Date: Mon, 14 Oct 2024 15:02:09 +0800 Subject: [PATCH 4/6] refactor: sast scan all by default --- ops/pipelines/gigadb-conformance-security-jobs.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/ops/pipelines/gigadb-conformance-security-jobs.yml b/ops/pipelines/gigadb-conformance-security-jobs.yml index 856a29df7f..9b9b69508d 100644 --- a/ops/pipelines/gigadb-conformance-security-jobs.yml +++ b/ops/pipelines/gigadb-conformance-security-jobs.yml @@ -70,8 +70,6 @@ check_PHPDoc: semgrep-sast: stage: conformance and security - variables: - SAST_EXCLUDED_ANALYZERS: "spotbugs, bandit, eslint, nodejs-scan" artifacts: untracked: true when: always From fd6ecea0a67cabc08b15f2d11257c6ca776aaf09 Mon Sep 17 00:00:00 2001 From: kencho Date: Wed, 16 Oct 2024 13:49:45 +0800 Subject: [PATCH 5/6] refactor: do not keep artifacts for sast --- ops/pipelines/gigadb-conformance-security-jobs.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/ops/pipelines/gigadb-conformance-security-jobs.yml b/ops/pipelines/gigadb-conformance-security-jobs.yml index 9b9b69508d..6a25e9a7b6 100644 --- a/ops/pipelines/gigadb-conformance-security-jobs.yml +++ b/ops/pipelines/gigadb-conformance-security-jobs.yml @@ -70,10 +70,6 @@ check_PHPDoc: semgrep-sast: stage: conformance and security - artifacts: - untracked: true - when: always - expire_in: 1 week variables: CS_ANALYZER_IMAGE: "$CI_TEMPLATE_REGISTRY_HOST/security-products/container-scanning:6" From dfc5ffadff11f4eeac153c62f7d96f11b738c622 Mon Sep 17 00:00:00 2001 From: kencho Date: Wed, 23 Oct 2024 13:57:04 +0900 Subject: [PATCH 6/6] doc: update change log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ce32b1a9c..0f41219936 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## Unreleased +- Feat #1867: Update the gitlab static application security testing (SAST) job using the Semgrep-based analyzer - Feat #1968: Add curators manual for operating tools on bastion server - Feat #1750: Switch to guzzle instead of cURL - Fix #2042: Batch deletion of file attributes and samples