Commit 26f92add authored by Fulcrand Guilhem's avatar Fulcrand Guilhem Committed by Thomas Boni
Browse files

Resolve "CI - sast"

parent dcf68399
Loading
Loading
Loading
Loading
+81 −0
Original line number Diff line number Diff line
# 🔓 SLS Scan

## Description

This job use the [ShiftLeftSecurity sast scan](https://github.com/ShiftLeftSecurity/sast-scan) which is a combination of various vulnerability scaners for different languages to help detect those in your project. This job permit to fully integrate it in Gitlab (sls-scan was developped to be used as a pre-commit and in CI directly).

!!! info
    There are 27 different languages supported(👉 [full list](https://github.com/ShiftLeftSecurity/sast-scan#bundled-tools))

## How to use it

1. The job can be run "out of the box". If you need to personalize its
   behavior, check the [variables section](#variables)
2. Choose a version in [version list](#versions)
3. Add the corresponding URL to your `.gitlab-ci.yml` file (see [Getting
   started](/getting-started)). Example:

    ```yaml
    include:
      - remote: 'https://jobs.go2scale.io/sls_scan.yml'
    ```

4. If you need to customize the job (stage, variables, ...) 👉 check the [jobs
   customization](/getting-started/#jobs-customization)
5. Well done, your job is ready to work ! 😀

## Job details

* Job name: `sls_scan`
* Docker image:
[`shiftleft/sast-scan`](https://hub.docker.com/r/_/shiftleft/sast-scan)
* Default stage: `static_tests`
* When: `always`

### Variables

| Name | Description | Default |
| ---- | ----------- | ------- |
| `SLS_TYPE` <img width=450/> | If you want to specify a specific scanner to use | ` ` |
| `STOP_ON_VULN` | If you want the job to stop on the first vulnerability detected | `false` |

### Artifacts

!!! info
    Currently, sls_scan isn't integrated in a merge request widget, so we
    create an exposed atifact containing resulsts.

You can view the report by languages when browsing through the published
artifact and clicking on the html outputs in your browser.

### Bundled tools

| Programming Language | Tools                               |
| -------------------- | ----------------------------------- |
| ansible              | ansible-lint                        |
| apex                 | pmd                                 |
| arm                  | checkov                             |
| aws                  | checkov                             |
| bash                 | shellcheck                          |
| bom                  | cdxgen                              |
| credscan             | gitleaks                            |
| depscan              | dep-scan                            |
| go                   | gosec, staticcheck                  |
| groovy               | find-sec-bugs                       |
| java                 | cdxgen, gradle, find-sec-bugs, pmd  |
| jsp                  | pmd, find-sec-bugs                  |
| json                 | jq, jsondiff, jsonschema            |
| kotlin               | detekt, find-sec-bugs               |
| scala                | find-sec-bugs                       |
| kubernetes           | checkov, kubesec, kube-score        |
| nodejs               | cdxgen, njsscan, eslint, yarn, rush |
| php                  | psalm, phpstan (ide only)           |
| plsql                | pmd                                 |
| python               | cfg-scan (\*), bandit, cdxgen       |
| ruby                 | dep-scan                            |
| rust                 | cdxgen                              |
| serverless           | checkov                             |
| terraform            | checkov, tfsec                      |
| Visual Force (vf)    | pmd                                 |
| Apache Velocity (vm) | pmd                                 |
| yaml                 | yamllint                            |

jobs/sls_scan/job.yml

0 → 100644
+6 −0
Original line number Diff line number Diff line
name: sls_scan
description: ShiftLeftSecurity sast scan to secure your application
default_stage: static_tests
icon: 🔓
maintainer: FulcrandG
license: MIT
+27 −0
Original line number Diff line number Diff line
stages:
  - static_tests

sls_scan:
  image: shiftleft/sast-scan:v1.9.29
  stage: static_tests
  variables:
    SLS_TYPE: ""
    STOP_ON_VULN: "false"
  script:
    - mkdir public
    - if [ ! -z ${SLS_TYPE} ]; then
    -   scan --build -o public -t ${SLS_TYPE} | tee output
    - else
    -   scan --build -o public | tee output
    - fi
    - if [ ${STOP_ON_VULN} == "true" ]; then
    -   cat output | grep ❌
    -   if [ $? -eq 0 ]; then
    -     exit 1
    -   fi
    - fi
  artifacts:
    when: always
    expose_as: "ShiftLeft security scan"
    paths:
      - public
+1 −0
Original line number Diff line number Diff line
* Initial version
 No newline at end of file