The Output file section for more details. Gl-sast-report.json is an example file path but any other filename can be used. Mysec_sast : image : /secure/mysec artifacts : reports : sast : gl-sast-report.json Scanning jobs must declare a report that corresponds to the type of scanning they perform,įor example, here is the definition of a SAST job that generates a file named gl-sast-report.json, So the allow_failure parameter should be set to true. Scanning jobs should not block the pipeline when they fail, To be aligned with the GitLab Security paradigm, The stage keyword can be omitted because test is the default value. Stageįor consistency, scanning jobs should belong to the test stage when possible. Should not be used in the job definition, because it may be overridden by users. Should not be used in the job definition because users may rely on this to prepare their projects before performing the scan.įor instance, it is common practice to use before_script to install system librariesĪ particular project needs before performing SAST or Dependency Scanning. To perform the scan automatically, without passing any command. It is not possible to rely on the predefined ENTRYPOINT and CMD of the Docker image Is used to specify the commands to run the scanner.īecause the script entry can’t be left empty, it must be set to the command that performs the scan. The job name is suffixed after the type of scanning:įor instance, the dependency scanning job based on the “MySec” scanner would be named mysec_dependency_scanning.
Full documentation on these and other available fields can be viewedįor consistency, scanning jobs should be named after the scanner, in lower case. This section describes several important fields to add to the security scanner’s jobĭefinition file. Scanner, as well as requirements and guidelines for the Docker image.
This page documents requirements and guidelines for writing CI jobs that implement a security That contains the scanner and all its dependencies in a self-contained environment. The scanning job is usually based on a Docker image These results are thenĪutomatically presented in various places in GitLab, such as the Pipeline view, merge request
This CI job should then output its results in a GitLab-specified format. They can add to their CI configuration files to scan their GitLab projects. Integrating a security scanner into GitLab consists of providing end users
0 kommentar(er)
