Proof of Concept: Leverage existing build jobs for SAST, DS
Problem to solve
SAST and Dependency Scanning (DS) rely on their own CI jobs and Docker images to scan projects. As explained in #8212 (closed) this is not efficient and is likely to fail if the project depends on a specific environment: interpreter, compiler, compiler options, package manager options, OS libraries, etc.
When discussing this during a dedicated meeting we came up with a solution but it has to be evaluated before implementation, so first step is to have Proof of Concept (PoC).
Proposal
Focus on one technology (like Python, Java Maven, Ruby or Nodejs)
and make it possible to plug SAST or DS to any CI build job
by adding a single line to the script
of the job definition.
The script added to the job definition (no more than a line) proceeds in three steps:
- fetch the analyzer and its resources as a single archive
- extract the archive
- run the analyzer and generate the SAST or DS report
Since the script generates a SAST or DS report, this must be declared in the job definition. For example, here's what users would add to the job definition when adding SAST:
artifacts:
reports:
sast: gl-sast-report.json
The analyzer project chosen for the PoC will have its pipeline tweaked in order to generate the archive that contains both the binary and its resources. The archive is declared as a CI artifact so that it can be downloaded over the Internet.
We assume that the CI Runner runs on a Linux box. The PoC will thus be compatible with the shared runners of gitlab.com.
If easier, the line added to the script
section includes one specific SAST analyzer or DS analyzer,
like "SAST for Python" or "DS for Maven"; it doesn't have to be generic.
What does success look like, and how can we measure that?
Integration of SAST and DS in existing custom build jobs is seamless:
It takes no more than a couple of lines to add SAST or DS to an existing build job
(one line added to the script
, one line added to the reports
).
Links / references
Meeting minutes: https://docs.google.com/document/d/1aheAoPOtc1gp1QGMe16rB2CDIwAh_41Zwj2zBQaRJZ4/edit#