Prevent analyzers from being excluded in scan execution pipelines

Review changes
Download
Patches
Plain diff

Merged Prevent analyzers from being excluded in scan execution pipelines

420700-enforced-scan-execution-can-be-circumvented-by-sast_excluded_analyzers-variable into master

Overview 9
Commits 1
Pipelines 3
Changes 3

Merged Martin Čavoj requested to merge 420700-enforced-scan-execution-can-be-circumvented-by-sast_excluded_analyzers-variable into master 1 year ago

Overview 9
Commits 1
Pipelines 3
Changes 3

What does this MR do and why?

This MR fixes an oversight where it was possible to exclude certain analyzers from being run in scan execution pipelines.

Screenshots or screen recordings

Before	After

How to set up and validate locally

Add .gitlab-ci.yml:

build-job:
  stage: build
  script:
  - echo "Compiling the code..."
  - echo "Compile complete."
include:
- template: Security/SAST.gitlab-ci.yml

Add run_os_script.rb file into the project:

class Generic
  def run_on_system
    system("ls")
  end
end

Go to Secure -> Policies and create a new Scan Execution policy

name: SAST
description: ''
enabled: true
actions:
- scan: sast
rules:
- type: pipeline
  branches:
  - "*"

Go to Settings -> CI/CD -> Variables and add a new variable:
Go to Pipelines and run a new pipeline for the main branch
Verify that brakeman-sast-0 job is still present in the pipeline

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #420700 (closed)

Edited 1 year ago by Martin Čavoj

Merge request reports

0 Assignees

0 Reviewers

Request review from

Labels

None

Select labels

Manage project labels

Milestone

None

Time tracking

Participants