diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index fd45bbf643fd4a6f500fb651e5a21f16e9f1cf4c..1650b82a9abe25cb4a8175edb57a6f2af33d887d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,6 +19,11 @@ default: - cookiecutter --no-input --overwrite-if-exists --output-dir . . - cd my_awesome_app +# Override semgrep-sast before script +sast: + before_script: + - python --version # For debugging + # Override unit test before script .run_unit_test_version_base: before_script: diff --git a/{{cookiecutter.project_slug}}/.gitlab-ci.yml b/{{cookiecutter.project_slug}}/.gitlab-ci.yml index 1498ae3a1c7fddd5566cef273240ac4cf276cb96..1fb825d923a6c5cede19408f558635e98c467937 100644 --- a/{{cookiecutter.project_slug}}/.gitlab-ci.yml +++ b/{{cookiecutter.project_slug}}/.gitlab-ci.yml @@ -20,6 +20,12 @@ variables: PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip" +include: + - template: Security/SAST.gitlab-ci.yml + - template: Security/Dependency-Scanning.gitlab-ci.yml + - template: Security/Secret-Detection.gitlab-ci.yml + + # Prepare image to run ci on trigger_prepare: stage: prepare @@ -45,6 +51,22 @@ run_pylint: - tox -e pylint allow_failure: true +sast: + variables: + SAST_EXCLUDED_ANALYZERS: brakeman, kubesec, nodejs-scan, phpcs-security-audit, + pmd-apex, sobelow, spotbugs + stage: test + +dependency_scanning: + # override default before_script, job won't have Python available + before_script: + - uname + +secret_detection: + # override default before_script, job won't have Python available + before_script: + - uname + # Basic setup for all Python versions for which we don't have a base image .run_unit_test_version_base: before_script: