infrastructure/gitlab-ci
2
0
Fork 0
Code Issues 17 Pull Requests 1 Actions Projects Releases 21 Wiki Activity

ci(python_dependency_scan): disabled main job and manual setup for all ci jobs.

Browse Source 
Python dependency scan does not work for multiple pip files. Had to setup manual jobs.

MR !15
This commit is contained in:
Jon Lockwood
2022-01-23 07:36:49 +00:00
parent 6668c2fb8d
commit 2fffa866d8
1 changed files with 73 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
.gitlab-ci.yml
View File

@ -19,6 +19,79 @@ include:
- template: Security/Dependency-Scanning.gitlab-ci.yml - template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/License-Scanning.gitlab-ci.yml - template: Security/License-Scanning.gitlab-ci.yml
# Scanner doesn't Pickup multiple pip files. Disable and specify jobs with pip file.
gemnasium-python-dependency_scanning:
rules:
- when: never
# source: https://gitlab.com/gitlab-org/gitlab/-/blob/2f33a8cb4dcea7b875e360d4cd9e016e027d2973/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
.gemnasium-python-dependency_scanning:
extends: .ds-analyzer
image:
name: "$DS_ANALYZER_IMAGE"
variables:
# DS_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
# override the analyzer image with a custom value. This may be subject to change or
# breakage across GitLab releases.
DS_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gemnasium-python:$DS_MAJOR_VERSION"
# Stop reporting Pipenv and Setuptools as "pip".
# See https://gitlab.com/gitlab-org/gitlab/-/issues/338252
DS_REPORT_PACKAGE_MANAGER_PIP_WHEN_PYTHON: "false"
rules:
- if: $DEPENDENCY_SCANNING_DISABLED
when: never
- if: $DS_EXCLUDED_ANALYZERS =~ /gemnasium-python/
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/
exists:
- '{requirements.txt,*/requirements.txt,*/*/requirements.txt}'
- '{requirements.pip,*/requirements.pip,*/*/requirements.pip}'
- '{Pipfile,*/Pipfile,*/*/Pipfile}'
- '{requires.txt,*/requires.txt,*/*/requires.txt}'
- '{setup.py,*/setup.py,*/*/setup.py}'
# Support passing of $PIP_REQUIREMENTS_FILE
# See https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#configuring-specific-analyzers-used-by-dependency-scanning
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdependency_scanning\b/ &&
$DS_DEFAULT_ANALYZERS =~ /gemnasium-python/ &&
$PIP_REQUIREMENTS_FILE
Ansible Dependencies:
extends: .gemnasium-python-dependency_scanning
variables:
PIP_REQUIREMENTS_FILE: ansible/requirements.txt
conventional_commits Dependencies:
extends: .gemnasium-python-dependency_scanning
variables:
PIP_REQUIREMENTS_FILE: conventional_commits/requirements.txt
gitlab_release Dependencies:
extends: .gemnasium-python-dependency_scanning
variables:
PIP_REQUIREMENTS_FILE: gitlab_release/requirements.txt
mkdocs Dependencies:
extends: .gemnasium-python-dependency_scanning
variables:
PIP_REQUIREMENTS_FILE: mkdocs/requirements.txt
python Dependencies:
extends: .gemnasium-python-dependency_scanning
variables:
PIP_REQUIREMENTS_FILE: python/requirements.txt
yaml_lint Dependencies:
extends: .gemnasium-python-dependency_scanning
variables:
PIP_REQUIREMENTS_FILE: yaml_lint/requirements.txt
PyLint: PyLint: