Merge branch 'fix-security-scans' into 'master'

Fix SAST and Dependency Scanning See merge request gitlab-org/gitlab-shell!410

Merge branch 'fix-security-scans' into 'master'
98b173cd · Nick Thomas · 27c2ef12 · 5252ad54 · 98b173cd
Commit 98b173cd authored 4 years ago by Nick Thomas
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
 include:
  - template: Code-Quality.gitlab-ci.yml
+  - template: Security/SAST.gitlab-ci.yml
+  - template: Security/Dependency-Scanning.gitlab-ci.yml

 variables:
  DOCKER_VERSION: "19.03.0"
@@ -67,32 +69,6 @@ code_quality:
  extends: .use-docker-in-docker
  rules: *workflow_rules

-sast:
-  extends: .use-docker-in-docker
-  allow_failure: true
-  script:
-    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
-    - docker run
-        --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
-        --volume "$PWD:/code"
-        --volume /var/run/docker.sock:/var/run/docker.sock
-        "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
-  artifacts:
-    paths: [gl-sast-report.json]
-
-dependency_scanning:
-  extends: .use-docker-in-docker
-  allow_failure: true
-  script:
-    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
-    - docker run
-        --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
-        --volume "$PWD:/code"
-        --volume /var/run/docker.sock:/var/run/docker.sock
-        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
-  artifacts:
-    paths: [gl-dependency-scanning-report.json]
-
 code_navigation:
  image: sourcegraph/lsif-go:v1
  allow_failure: true
@@ -101,3 +77,14 @@ code_navigation:
  artifacts:
    reports:
      lsif: dump.lsif
+
+# SAST
+gosec-sast:
+  rules: *workflow_rules
+
+# Dependency Scanning
+gemnasium-dependency_scanning:
+  rules: *workflow_rules
+
+bundler-audit-dependency_scanning:
+  rules: *workflow_rules
\ No newline at end of file