Verified Commit 7995789f authored by Vincent's avatar Vincent

Use GitLab's security CI template

See
https://about.gitlab.com/2019/03/22/gitlab-11-9-released/#cicd-templates-for-security-jobs

The `app_url` artifact was renamed to `environment_url.txt` since
that's what the DAST template is looking for. It wasn't possible
to rename the file in the DAST build job itself, because that would
overwrite the template's own commands.
parent 7c770763
Pipeline #62476247 passed with stages
in 37 minutes and 35 seconds
......@@ -89,7 +89,7 @@ provision:
- terraform plan -out .tfplan -input=false | cleanup
- terraform apply -input=false .tfplan | cleanup
- terraform output heroku_git_url > heroku_git_url
- terraform output live_url > app_url
- terraform output live_url > environment_url.txt
- LIVE_URL=`terraform output live_url`
- echo -e "View app at\n$LIVE_URL"
environment:
......@@ -104,7 +104,7 @@ provision:
expire_in: 1 hour
paths:
- heroku_git_url
- app_url
- environment_url.txt
stop_terraform:
stage: provision
image:
......@@ -180,7 +180,7 @@ deploy:
- git add .yarnrc
- git commit -m "Increase Yarn download timeout to account for a large package (material-design-icons)"
- git push --force heroku heroku_deployment:master
- export APP_URL=`cat app_url`
- export APP_URL=`cat environment_url.txt`
- echo -e "View app at\n$APP_URL"
build_extension:
stage: deploy
......@@ -194,7 +194,7 @@ build_extension:
except:
- schedules
script:
- export APP_URL=`cat app_url`
- export APP_URL=`cat environment_url.txt`
- cd extension
- yarn
- if [[ $CI_COMMIT_REF_NAME != "master" ]]; then node tag_prerelease_version.js; fi;
......@@ -227,7 +227,7 @@ e2e:firefox:
- provision
script:
- wipCommits=`git log --grep=^WIP`; if [ -n "$wipCommits" ] && [ "$CI_COMMIT_REF_NAME" != "master" ]; then echo "WIP commits detected; skipping tests."; exit 0; fi
- export APP_URL=`cat app_url`
- export APP_URL=`cat environment_url.txt`
- cd e2e-tests
- yarn install --frozen-lockfile
- yarn run test --host=selenium
......@@ -250,7 +250,7 @@ e2e:chrome:
- provision
script:
- wipCommits=`git log --grep=^WIP`; if [ -n "$wipCommits" ] && [ "$CI_COMMIT_REF_NAME" != "master" ]; then echo "WIP commits detected; skipping tests."; exit 0; fi
- export APP_URL=`cat app_url`
- export APP_URL=`cat environment_url.txt`
- cd e2e-tests
- yarn install --frozen-lockfile
- yarn run test --host=selenium
......@@ -275,7 +275,7 @@ visual-regression-test:
- schedules
script:
- wipCommits=`git log --grep=^WIP`; if [ -n "$wipCommits" ] && [ "$CI_COMMIT_REF_NAME" != "master" ]; then echo "WIP commits detected; skipping tests."; exit 0; fi
- export APP_URL=`cat app_url`
- export APP_URL=`cat environment_url.txt`
- echo "Going to run visual regression tests. If it fails, view the report in this job's artifacts, where it will display what changed. If the changes look OK, download the new versions of the screenshots and check them in in the /visual-regression-tests/snapshots/ directory."
- cd visual-regression-tests
- yarn install --frozen-lockfile
......@@ -289,44 +289,25 @@ visual-regression-test:
expire_in: 1 week
when: always
include:
# See https://gitlab.com/help/user/project/merge_requests/sast.md
- template: SAST.gitlab-ci.yml
# See https://gitlab.com/help/user/project/merge_requests/dast.md
- template: DAST.gitlab-ci.yml
# See https://gitlab.com/help/user/project/merge_requests/sast.md
sast:
stage: confidenceCheck
image: docker:stable
variables:
DOCKER_DRIVER: overlay2
allow_failure: true
services:
- docker:stable-dind
except:
- schedules
script:
- export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
- docker run
--env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
--volume "$PWD:/code"
--volume /var/run/docker.sock:/var/run/docker.sock
"registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
artifacts:
reports:
sast: gl-sast-report.json
# See https://gitlab.com/help/user/project/merge_requests/dast.md
dast:
stage: confidenceCheck
dependencies:
- provision
image: registry.gitlab.com/gitlab-org/security-products/zaproxy
allow_failure: true
except:
- schedules
script:
- mkdir /zap/wrk/
- /zap/zap-baseline.py -J gl-dast-report.json -t `cat app_url` || true
- cp /zap/wrk/gl-dast-report.json .
artifacts:
reports:
dast: gl-dast-report.json
# See https://gitlab.com/help/user/project/merge_requests/code_quality.md
code_quality:
......@@ -361,7 +342,7 @@ performance:
except:
- schedules
script:
- export CI_ENVIRONMENT_URL=$(cat app_url)
- export CI_ENVIRONMENT_URL=$(cat environment_url.txt)
- mkdir gitlab-exporter
- wget -O ./gitlab-exporter/index.js https://gitlab.com/gitlab-org/gl-performance/raw/master/index.js
- mkdir sitespeed-results
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment