From a387f5b1d378d64a89455646199ae9aa65b534a9 Mon Sep 17 00:00:00 2001 From: Dominic Couture Date: Tue, 20 Aug 2024 13:34:37 +0000 Subject: [PATCH 01/11] Add GitLab Advanced SAST to CI/CD config --- .gitlab/ci/reports.gitlab-ci.yml | 3 +++ .gitlab/ci/rules.gitlab-ci.yml | 22 +++++++++++++++++++--- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml index 9f371e0089292e..7421459eb47724 100644 --- a/.gitlab/ci/reports.gitlab-ci.yml +++ b/.gitlab/ci/reports.gitlab-ci.yml @@ -23,6 +23,9 @@ include: semgrep-sast: rules: !reference [".reports:rules:semgrep-sast", rules] +gitlab-advanced-sast: + rules: !reference [".reports:rules:gitlab-advanced-sast", rules] + .secret-analyzer: extends: .default-retry stage: lint diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml index 313390712e3f40..619a72abaffa4f 100644 --- a/.gitlab/ci/rules.gitlab-ci.yml +++ b/.gitlab/ci/rules.gitlab-ci.yml @@ -2822,16 +2822,32 @@ when: never - if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/ when: never + - <<: *if-default-refs + changes: + - '**/*.c' + - '**/*.rb' + +.reports:rules:gitlab-advanced-sast: + rules: + - <<: *if-merge-request-labels-pipeline-expedite + when: never + - if: $SAST_DISABLED + when: never + - if: $SAST_EXCLUDED_ANALYZERS =~ /gitlab-advanced-sast/ + when: never - <<: *if-default-refs changes: - '**/*.py' + - '**/*.go' + - '**/*.java' + - '**/*.jsp' - '**/*.js' - '**/*.jsx' - '**/*.ts' - '**/*.tsx' - - '**/*.c' - - '**/*.go' - - '**/*.rb' + - '**/*.cjs' + - '**/*.mjs' + - '**/*.cs' .reports:rules:secret_detection: rules: -- GitLab From 1eaeb39318d8dfccfebc5fcb3a3d2764aafb1d20 Mon Sep 17 00:00:00 2001 From: Dominic Couture Date: Tue, 20 Aug 2024 15:43:54 +0000 Subject: [PATCH 02/11] Apply 1 suggestion(s) to 1 file(s) --- .gitlab/ci/rules.gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml index 619a72abaffa4f..1b61707b291f28 100644 --- a/.gitlab/ci/rules.gitlab-ci.yml +++ b/.gitlab/ci/rules.gitlab-ci.yml @@ -2833,7 +2833,7 @@ when: never - if: $SAST_DISABLED when: never - - if: $SAST_EXCLUDED_ANALYZERS =~ /gitlab-advanced-sast/ + - if: $SAST_EXCLUDED_ANALYZERS =~ /gitlab-advanced-sast/ when: never - <<: *if-default-refs changes: -- GitLab From 43e00c98490a549e59582ec5c9edfd9eba643108 Mon Sep 17 00:00:00 2001 From: Dominic Couture Date: Fri, 6 Sep 2024 11:45:52 +0000 Subject: [PATCH 03/11] Test commit to be removed --- app/controllers/application_controller.rb | 1 + workhorse/cmd/gitlab-workhorse/backend_test.go | 1 + 2 files changed, 2 insertions(+) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index a209aed131b678..76d73f3aff30d8 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -2,6 +2,7 @@ require 'gon' +# Changing a *.rb file to trigger a scan class ApplicationController < BaseActionController use Gitlab::Middleware::ActionControllerStaticContext diff --git a/workhorse/cmd/gitlab-workhorse/backend_test.go b/workhorse/cmd/gitlab-workhorse/backend_test.go index 8b62287fee4e68..c06324a2f67d83 100644 --- a/workhorse/cmd/gitlab-workhorse/backend_test.go +++ b/workhorse/cmd/gitlab-workhorse/backend_test.go @@ -21,6 +21,7 @@ func TestParseAuthBackendFailure(t *testing.T) { } } +// Changing a *.go file just to trigger a change func TestParseAuthBackend(t *testing.T) { successes := []struct{ input, host, scheme string }{ {"http://localhost:8080", "localhost:8080", "http"}, -- GitLab From 584b80c3728f946a7015a87dce102966a893d319 Mon Sep 17 00:00:00 2001 From: Dominic Couture Date: Thu, 3 Oct 2024 13:33:05 +0000 Subject: [PATCH 04/11] Apply 1 suggestion(s) to 1 file(s) --- workhorse/cmd/gitlab-workhorse/backend_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workhorse/cmd/gitlab-workhorse/backend_test.go b/workhorse/cmd/gitlab-workhorse/backend_test.go index c06324a2f67d83..07df11e05f3a20 100644 --- a/workhorse/cmd/gitlab-workhorse/backend_test.go +++ b/workhorse/cmd/gitlab-workhorse/backend_test.go @@ -21,7 +21,7 @@ func TestParseAuthBackendFailure(t *testing.T) { } } -// Changing a *.go file just to trigger a change +// Changing a *.go file just to trigger a change! func TestParseAuthBackend(t *testing.T) { successes := []struct{ input, host, scheme string }{ {"http://localhost:8080", "localhost:8080", "http"}, -- GitLab From 7b3c7fd615fb7283a3d135f956132ace87c1d52e Mon Sep 17 00:00:00 2001 From: Dominic Couture Date: Wed, 9 Oct 2024 14:02:00 +0000 Subject: [PATCH 05/11] Apply 1 suggestion(s) to 1 file(s) --- workhorse/cmd/gitlab-workhorse/backend_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/workhorse/cmd/gitlab-workhorse/backend_test.go b/workhorse/cmd/gitlab-workhorse/backend_test.go index 07df11e05f3a20..cfd8f3ebc4e0af 100644 --- a/workhorse/cmd/gitlab-workhorse/backend_test.go +++ b/workhorse/cmd/gitlab-workhorse/backend_test.go @@ -22,6 +22,7 @@ func TestParseAuthBackendFailure(t *testing.T) { } // Changing a *.go file just to trigger a change! +// New line of code to trigger scan func TestParseAuthBackend(t *testing.T) { successes := []struct{ input, host, scheme string }{ {"http://localhost:8080", "localhost:8080", "http"}, -- GitLab From 4db220311df047d0e8c42c96b7c523b2c3f3de1d Mon Sep 17 00:00:00 2001 From: Dominic Couture Date: Mon, 14 Oct 2024 13:01:07 +0000 Subject: [PATCH 06/11] Leave JS to semgrep for now --- .gitlab/ci/rules.gitlab-ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml index 1b61707b291f28..501672dc156249 100644 --- a/.gitlab/ci/rules.gitlab-ci.yml +++ b/.gitlab/ci/rules.gitlab-ci.yml @@ -2826,6 +2826,12 @@ changes: - '**/*.c' - '**/*.rb' + - '**/*.js' + - '**/*.jsx' + - '**/*.ts' + - '**/*.tsx' + - '**/*.cjs' + - '**/*.mjs' .reports:rules:gitlab-advanced-sast: rules: @@ -2841,12 +2847,6 @@ - '**/*.go' - '**/*.java' - '**/*.jsp' - - '**/*.js' - - '**/*.jsx' - - '**/*.ts' - - '**/*.tsx' - - '**/*.cjs' - - '**/*.mjs' - '**/*.cs' .reports:rules:secret_detection: -- GitLab From e5d7eb593b832d22c6f60324de76273e06bf1ba0 Mon Sep 17 00:00:00 2001 From: Mher Tolpin Date: Sun, 30 Mar 2025 18:32:42 +0300 Subject: [PATCH 07/11] Edit the template to execute GLAS on the biggest runner available --- .gitlab/ci/reports.gitlab-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml index 7421459eb47724..b5903e26c4afe0 100644 --- a/.gitlab/ci/reports.gitlab-ci.yml +++ b/.gitlab/ci/reports.gitlab-ci.yml @@ -24,6 +24,8 @@ semgrep-sast: rules: !reference [".reports:rules:semgrep-sast", rules] gitlab-advanced-sast: + tags: + - saas-linux-2xlarge-amd64 rules: !reference [".reports:rules:gitlab-advanced-sast", rules] .secret-analyzer: -- GitLab From 7c2f482224bb5fd23b880a9d463eff511aefb17d Mon Sep 17 00:00:00 2001 From: Mher Tolpin Date: Sun, 30 Mar 2025 22:02:56 +0300 Subject: [PATCH 08/11] Increase the GLAS timeout to 3 hours --- .gitlab/ci/reports.gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml index b5903e26c4afe0..63baa61cc954e4 100644 --- a/.gitlab/ci/reports.gitlab-ci.yml +++ b/.gitlab/ci/reports.gitlab-ci.yml @@ -24,6 +24,7 @@ semgrep-sast: rules: !reference [".reports:rules:semgrep-sast", rules] gitlab-advanced-sast: + timeout: 3h tags: - saas-linux-2xlarge-amd64 rules: !reference [".reports:rules:gitlab-advanced-sast", rules] -- GitLab From 8c9aa061c30ca77fbea120397229fe2f1e14629c Mon Sep 17 00:00:00 2001 From: Dominic Couture Date: Mon, 31 Mar 2025 12:19:53 +0100 Subject: [PATCH 09/11] Apply 1 suggestion(s) to 1 file(s) --- .gitlab/ci/rules.gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab/ci/rules.gitlab-ci.yml b/.gitlab/ci/rules.gitlab-ci.yml index 501672dc156249..4eabfe34036f8b 100644 --- a/.gitlab/ci/rules.gitlab-ci.yml +++ b/.gitlab/ci/rules.gitlab-ci.yml @@ -2845,6 +2845,7 @@ changes: - '**/*.py' - '**/*.go' + - '**/*.rb' - '**/*.java' - '**/*.jsp' - '**/*.cs' -- GitLab From 9d819c16844d615c624cef2fc01f9a769040cb7f Mon Sep 17 00:00:00 2001 From: Mher Tolpin Date: Tue, 2 Sep 2025 13:32:37 +0300 Subject: [PATCH 10/11] Edit reports.gitlab-ci.yml --- .gitlab/ci/reports.gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml index 63baa61cc954e4..6d5bacde0f40b2 100644 --- a/.gitlab/ci/reports.gitlab-ci.yml +++ b/.gitlab/ci/reports.gitlab-ci.yml @@ -26,7 +26,7 @@ semgrep-sast: gitlab-advanced-sast: timeout: 3h tags: - - saas-linux-2xlarge-amd64 + - saas-linux-large-amd64 rules: !reference [".reports:rules:gitlab-advanced-sast", rules] .secret-analyzer: -- GitLab From a1380d37e366d05fa2c4cf1c978b94780413b71b Mon Sep 17 00:00:00 2001 From: Mher Tolpin Date: Tue, 2 Sep 2025 16:26:59 +0300 Subject: [PATCH 11/11] Edit reports.gitlab-ci.yml --- .gitlab/ci/reports.gitlab-ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml index 6d5bacde0f40b2..f75aa44dd9404e 100644 --- a/.gitlab/ci/reports.gitlab-ci.yml +++ b/.gitlab/ci/reports.gitlab-ci.yml @@ -26,8 +26,10 @@ semgrep-sast: gitlab-advanced-sast: timeout: 3h tags: - - saas-linux-large-amd64 + - saas-linux-2xlarge-amd64 rules: !reference [".reports:rules:gitlab-advanced-sast", rules] + variables: + SAST_SCANNER_ALLOWED_CLI_OPTS: --multi-core 8 .secret-analyzer: extends: .default-retry -- GitLab