Commit 3ec94dfe authored by moha-s's avatar moha-s
Browse files

add global html report, fix fail logic

parent b574829c

jobs/sls_scan/README.md

+12 −2
Original line number Diff line number Diff line
@@ -17,6 +17,17 @@ This job uses the [ShiftLeftSecurity sast scan](https://github.com/ShiftLeftSecu 
   customization](/use-the-hub/#jobs-customization)

5. Well done, your job is ready to work ! 😀



!!! info

    By default, the job will fail if it finds minimum the following number of vulnerabilities:  

        ```python

        build_break_rules = {

        "default": {"max_critical": 0, "max_high": 2, "max_medium": 5},

        "Secrets Audit": {"max_critical": 0, "max_high": 0, "max_medium": 1},

        "depscan": {"max_critical": 0,"max_high": 2,"max_medium": 5},

        }

        ```

    More about this [here](https://github.com/ShiftLeftSecurity/sast-scan/blob/6ee41bdc7ae3462e909a745ef7c8463c5229e5ef/lib/config.py#L1339){:target="_blank"}



## Job details



* Job name: `sls_scan`
@@ -32,12 +43,11 @@ This job uses the [ShiftLeftSecurity sast scan](https://github.com/ShiftLeftSecu 
| `SCAN_OPTIONS` | If you want to add [additional arguments](https://slscan.io/en/latest/getting-started/#command-line-arguments) for `scan` | ` ` |

| `ENABLE_BUILD` | The option to use `--build` with the `scan` command | `true` |

| `SLS_TYPE` | If you want to specify a specific scanner to use | ` ` |

| `STOP_ON_VULN` | If you want the job to stop on the first vulnerability detected | `false` |

| `OUTPUT_PATH` | Path to scan output folder | `sls_scan_report/` |



### Artifacts



Scan result is available as artifact.

Scan result is available as artifact, and all HTML reports are merged into one single HTML report



!!! warning

    It's also [exposed

jobs/sls_scan/sls_scan.yml

+11 −7
Original line number Diff line number Diff line
@@ -4,12 +4,13 @@ stages: 
sls_scan:

  image: shiftleft/sast-scan:v1.15.1

  stage: static_tests



  variables:

    SCAN_OPTIONS: ""

    ENABLE_BUILD: "true"

    SLS_TYPE: ""

    STOP_ON_VULN: "false"

    OUTPUT_PATH: "sls_scan_report/"



  script:

    - mkdir "$OUTPUT_PATH"

    - if [ ${ENABLE_BUILD} == "true" ]; then
@@ -19,17 +20,20 @@ sls_scan: 
    -   SCAN_OPTIONS="${SCAN_OPTIONS} -t ${SLS_TYPE}"

    - fi

    - scan ${SCAN_OPTIONS} -o "$OUTPUT_PATH" | tee output

    - if [ ${STOP_ON_VULN} == "true" ]; then

    -   cat output | grep ❌

    -   if [ $? -eq 0 ]; then

    -     exit 1

    -   fi

    - fi



  after_script:

    - touch 1_COMPLETE_REPORT.html && cd $OUTPUT_PATH

    - for report in *.html; do

    -   cat $report >> ../1_COMPLETE_REPORT.html

    - done



  artifacts:

    when: always

    expose_as: "ShiftLeft security scan"

    paths:

      - "1_COMPLETE_REPORT.html"

      - "$OUTPUT_PATH"

      - output

      # Below path is a workaround to provide artifact exposition in MR if

      # default output value is used. https://r2devops.io/jobs/static_tests/sls_scan/#artifacts

      - "sls_scan_report/"

jobs/sls_scan/versions/0.3.0.md

0 → 100644
+2 −0
Original line number Diff line number Diff line 
* New logic for failing jobs

* HTML reports are merged into one file
 
 No newline at end of file