From a3dc3ed3ae320247f6781bbb487b1fd326e3018a Mon Sep 17 00:00:00 2001 From: Fabien Catteau Date: Wed, 8 Apr 2020 10:54:17 +0200 Subject: [PATCH 1/5] Document custom analyzers in non-DinD setup In the Custom Analyzers documentation for Dependency Scanning and SAST, add a section about defining custom scanning job when the Docker-in-Docker orchestartor is disabled. See https://gitlab.com/gitlab-org/gitlab/-/issues/37278 --- .../dependency_scanning/analyzers.md | 29 +++++++++++++++++-- .../application_security/sast/analyzers.md | 28 ++++++++++++++++-- 2 files changed, 52 insertions(+), 5 deletions(-) diff --git a/doc/user/application_security/dependency_scanning/analyzers.md b/doc/user/application_security/dependency_scanning/analyzers.md index 3b4b341739b583..67f3b35a2bce1f 100644 --- a/doc/user/application_security/dependency_scanning/analyzers.md +++ b/doc/user/application_security/dependency_scanning/analyzers.md @@ -83,7 +83,10 @@ That's needed when one totally relies on [custom analyzers](#custom-analyzers). ## Custom analyzers -You can provide your own analyzers as a comma separated list of Docker images. +### Custom analyzers with Docker-in-Docker + +When Docker-in-Docker for Dependency Scanning is enabled, +you can provide your own analyzers as a comma-separated list of Docker images. Here's how to add `analyzers/nugget` and `analyzers/perl` to the default images. In `.gitlab-ci.yml` define: @@ -92,7 +95,7 @@ include: template: Dependency-Scanning.gitlab-ci.yml variables: - DS_ANALYZER_IMAGES: "my-docker-registry/analyzers/nugget,amy-docker-registry/nalyzers/perl" + DS_ANALYZER_IMAGES: "my-docker-registry/analyzers/nugget,amy-docker-registry/analyzers/perl" ``` The values must be the full path to the container registry images, @@ -103,6 +106,28 @@ This configuration doesn't benefit from the integrated detection step. Dependenc Scanning has to fetch and spawn each Docker image to establish whether the custom analyzer can scan the source code. +### Custom analyzers without Docker-in-Docker + +When Docker-in-Docker for Dependency Scanning is disabled, +you can provide your own analyzers by defining CI jobs in your CI configuration. +It is recommended to suffix your custom Dependency Scanning jobs with `-dependency_scanning`, for consistency. +Here's how to add a scanning job that is based on the Docker image `my-docker-registry/analyzers/nugget`, +and that generates a Dependency Scanning report `gl-dependency-scanning-report.json` when `/analyzer run` is executed. +In `.gitlab-ci.yml` define: + +```yaml +nugget-dependency_scanning: + image: + name: "my-docker-registry/analyzers/nugget" + script: + - /analyzer run + artifacts: + reports: + dependency_scanning: gl-dependency-scanning-report.json +``` + +The [Security Scanner Integration](../../../development/integrations/secure.md) documentation explains how to integrate custom security scanners into GitLab. + ## Analyzers data The following table lists the data available for each official analyzer. diff --git a/doc/user/application_security/sast/analyzers.md b/doc/user/application_security/sast/analyzers.md index c27c61a52e2c62..f40b0c224fca8e 100644 --- a/doc/user/application_security/sast/analyzers.md +++ b/doc/user/application_security/sast/analyzers.md @@ -92,7 +92,10 @@ That's needed when one totally relies on [custom analyzers](#custom-analyzers). ## Custom Analyzers -You can provide your own analyzers as a comma separated list of Docker images. +### Custom analyzers with Docker-in-Docker + +When Docker-in-Docker for SAST is enabled, +you can provide your own analyzers as a comma-separated list of Docker images. Here's how to add `analyzers/csharp` and `analyzers/perl` to the default images: In `.gitlab-ci.yml` define: @@ -112,8 +115,27 @@ This configuration doesn't benefit from the integrated detection step. SAST has to fetch and spawn each Docker image to establish whether the custom analyzer can scan the source code. -CAUTION: **Caution:** -Custom analyzers are not spawned automatically when [Docker In Docker](index.md#disabling-docker-in-docker-for-sast) is disabled. +### Custom analyzers without Docker-in-Docker + +When Docker-in-Docker for SAST is disabled, +you can provide your own analyzers by defining CI jobs in your CI configuration. +It is recommended to suffix your custom SAST jobs with `-sast`, for consistency. +Here's how to add a scanning job that is based on the Docker image `my-docker-registry/analyzers/csharp`, +and that generates a SAST report `gl-sast-report.json` when `/analyzer run` is executed. +In `.gitlab-ci.yml` define: + +```yaml +csharp-sast: + image: + name: "my-docker-registry/analyzers/csharp" + script: + - /analyzer run + artifacts: + reports: + sast: gl-sast-report.json +``` + +The [Security Scanner Integration](../../../development/integrations/secure.md) documentation explains how to integrate custom security scanners into GitLab. ## Analyzers Data -- GitLab From 733827a74427a04200b48e821e7e39312a0cbe11 Mon Sep 17 00:00:00 2001 From: Fabien Catteau Date: Wed, 8 Apr 2020 20:25:49 +0200 Subject: [PATCH 2/5] Replace nugget w/ nuget Replace all occurrences of nugget with nuget. --- .../dependency_scanning/analyzers.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/user/application_security/dependency_scanning/analyzers.md b/doc/user/application_security/dependency_scanning/analyzers.md index 67f3b35a2bce1f..71311a86b7e4fd 100644 --- a/doc/user/application_security/dependency_scanning/analyzers.md +++ b/doc/user/application_security/dependency_scanning/analyzers.md @@ -87,7 +87,7 @@ That's needed when one totally relies on [custom analyzers](#custom-analyzers). When Docker-in-Docker for Dependency Scanning is enabled, you can provide your own analyzers as a comma-separated list of Docker images. -Here's how to add `analyzers/nugget` and `analyzers/perl` to the default images. +Here's how to add `analyzers/nuget` and `analyzers/perl` to the default images. In `.gitlab-ci.yml` define: ```yaml @@ -95,7 +95,7 @@ include: template: Dependency-Scanning.gitlab-ci.yml variables: - DS_ANALYZER_IMAGES: "my-docker-registry/analyzers/nugget,amy-docker-registry/analyzers/perl" + DS_ANALYZER_IMAGES: "my-docker-registry/analyzers/nuget,amy-docker-registry/analyzers/perl" ``` The values must be the full path to the container registry images, @@ -111,14 +111,14 @@ custom analyzer can scan the source code. When Docker-in-Docker for Dependency Scanning is disabled, you can provide your own analyzers by defining CI jobs in your CI configuration. It is recommended to suffix your custom Dependency Scanning jobs with `-dependency_scanning`, for consistency. -Here's how to add a scanning job that is based on the Docker image `my-docker-registry/analyzers/nugget`, +Here's how to add a scanning job that is based on the Docker image `my-docker-registry/analyzers/nuget`, and that generates a Dependency Scanning report `gl-dependency-scanning-report.json` when `/analyzer run` is executed. In `.gitlab-ci.yml` define: ```yaml -nugget-dependency_scanning: +nuget-dependency_scanning: image: - name: "my-docker-registry/analyzers/nugget" + name: "my-docker-registry/analyzers/nuget" script: - /analyzer run artifacts: -- GitLab From 365db12c0b61a020d0d1a67c964216fda7965fc8 Mon Sep 17 00:00:00 2001 From: Nick Gaskill Date: Wed, 8 Apr 2020 19:52:06 +0000 Subject: [PATCH 3/5] Apply suggestion to doc/user/application_security/dependency_scanning/analyzers.md --- doc/user/application_security/dependency_scanning/analyzers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/application_security/dependency_scanning/analyzers.md b/doc/user/application_security/dependency_scanning/analyzers.md index 71311a86b7e4fd..5cc20a92e8be26 100644 --- a/doc/user/application_security/dependency_scanning/analyzers.md +++ b/doc/user/application_security/dependency_scanning/analyzers.md @@ -112,7 +112,7 @@ When Docker-in-Docker for Dependency Scanning is disabled, you can provide your own analyzers by defining CI jobs in your CI configuration. It is recommended to suffix your custom Dependency Scanning jobs with `-dependency_scanning`, for consistency. Here's how to add a scanning job that is based on the Docker image `my-docker-registry/analyzers/nuget`, -and that generates a Dependency Scanning report `gl-dependency-scanning-report.json` when `/analyzer run` is executed. +that generates a Dependency Scanning report `gl-dependency-scanning-report.json` when `/analyzer run` is executed. In `.gitlab-ci.yml` define: ```yaml -- GitLab From 19c0a9338e8b472f133a4eeba2bfed549e7a18da Mon Sep 17 00:00:00 2001 From: Fabien Catteau Date: Thu, 9 Apr 2020 06:04:44 +0000 Subject: [PATCH 4/5] Apply suggestion to doc/user/application_security/dependency_scanning/analyzers.md --- .../dependency_scanning/analyzers.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/user/application_security/dependency_scanning/analyzers.md b/doc/user/application_security/dependency_scanning/analyzers.md index 5cc20a92e8be26..26352f21cfb5b7 100644 --- a/doc/user/application_security/dependency_scanning/analyzers.md +++ b/doc/user/application_security/dependency_scanning/analyzers.md @@ -108,12 +108,12 @@ custom analyzer can scan the source code. ### Custom analyzers without Docker-in-Docker -When Docker-in-Docker for Dependency Scanning is disabled, -you can provide your own analyzers by defining CI jobs in your CI configuration. -It is recommended to suffix your custom Dependency Scanning jobs with `-dependency_scanning`, for consistency. -Here's how to add a scanning job that is based on the Docker image `my-docker-registry/analyzers/nuget`, -that generates a Dependency Scanning report `gl-dependency-scanning-report.json` when `/analyzer run` is executed. -In `.gitlab-ci.yml` define: +When Docker-in-Docker for Dependency Scanning is disabled, you can provide your own analyzers by +defining CI jobs in your CI configuration. For consistency, you should suffix your custom Dependency +Scanning jobs with `-dependency_scanning`. Here's how to add a scanning job that's based on the +Docker image `my-docker-registry/analyzers/nuget` and generates a Dependency Scanning report +`gl-dependency-scanning-report.json` when `/analyzer run` is executed. Define the following in +`.gitlab-ci.yml`: ```yaml nuget-dependency_scanning: -- GitLab From 9ffc9939cec730007daa867c4f3b8e1db6ca7567 Mon Sep 17 00:00:00 2001 From: Fabien Catteau Date: Thu, 9 Apr 2020 12:31:01 +0000 Subject: [PATCH 5/5] Align Custom analyzers w/o DinD Align "Custom analyzers without Docker-in-Docker" section of SAST doc with the one of Dependency Scanning. --- doc/user/application_security/sast/analyzers.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/user/application_security/sast/analyzers.md b/doc/user/application_security/sast/analyzers.md index f40b0c224fca8e..3ce52a024bd6f3 100644 --- a/doc/user/application_security/sast/analyzers.md +++ b/doc/user/application_security/sast/analyzers.md @@ -117,12 +117,12 @@ custom analyzer can scan the source code. ### Custom analyzers without Docker-in-Docker -When Docker-in-Docker for SAST is disabled, -you can provide your own analyzers by defining CI jobs in your CI configuration. -It is recommended to suffix your custom SAST jobs with `-sast`, for consistency. -Here's how to add a scanning job that is based on the Docker image `my-docker-registry/analyzers/csharp`, -and that generates a SAST report `gl-sast-report.json` when `/analyzer run` is executed. -In `.gitlab-ci.yml` define: +When Docker-in-Docker for SAST is disabled, you can provide your own analyzers by +defining CI jobs in your CI configuration. For consistency, you should suffix your custom +SAST jobs with `-sast`. Here's how to add a scanning job that's based on the +Docker image `my-docker-registry/analyzers/csharp` and generates a SAST report +`gl-sast-report.json` when `/analyzer run` is executed. Define the following in +`.gitlab-ci.yml`: ```yaml csharp-sast: -- GitLab