From 9b8ea940473e11a34dd02fbbc73f130e721c3849 Mon Sep 17 00:00:00 2001 From: Fabien Catteau Date: Mon, 11 May 2020 09:55:36 +0000 Subject: [PATCH 1/4] Make SAST_DISABLE_DIND true Change the default value of SAST_DISABLE_DIND to true, to disable the Docker-in-Docker orchestrator. --- lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml index a5830700d122a8..47f68118ee0490 100644 --- a/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml @@ -14,7 +14,7 @@ variables: SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, tslint, secrets, sobelow, pmd-apex, kubesec" SAST_ANALYZER_IMAGE_TAG: 2 - SAST_DISABLE_DIND: "false" + SAST_DISABLE_DIND: "true" SCAN_KUBERNETES_MANIFESTS: "false" sast: -- GitLab From b0d268fdc5c1cd9fce5479215305cf8d475d9254 Mon Sep 17 00:00:00 2001 From: Fabien Catteau Date: Tue, 12 May 2020 12:52:29 +0000 Subject: [PATCH 2/4] Add changelog entry Add unreleased changelog entry for MR. --- changelogs/unreleased/37278-SAST_DISABLE_DIND-true.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/unreleased/37278-SAST_DISABLE_DIND-true.yml diff --git a/changelogs/unreleased/37278-SAST_DISABLE_DIND-true.yml b/changelogs/unreleased/37278-SAST_DISABLE_DIND-true.yml new file mode 100644 index 00000000000000..b227314be85900 --- /dev/null +++ b/changelogs/unreleased/37278-SAST_DISABLE_DIND-true.yml @@ -0,0 +1,5 @@ +--- +title: 'Disable Docker-in-Docker for SAST by default' +merge_request: 31589 +author: +type: changed \ No newline at end of file -- GitLab From 2717ee7b1576929b9e0b1b4bc74918280c850da3 Mon Sep 17 00:00:00 2001 From: Fabien Catteau Date: Tue, 12 May 2020 14:57:06 +0000 Subject: [PATCH 3/4] Add new line Add new line character at the end of file --- changelogs/unreleased/37278-SAST_DISABLE_DIND-true.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelogs/unreleased/37278-SAST_DISABLE_DIND-true.yml b/changelogs/unreleased/37278-SAST_DISABLE_DIND-true.yml index b227314be85900..973648e516702d 100644 --- a/changelogs/unreleased/37278-SAST_DISABLE_DIND-true.yml +++ b/changelogs/unreleased/37278-SAST_DISABLE_DIND-true.yml @@ -2,4 +2,4 @@ title: 'Disable Docker-in-Docker for SAST by default' merge_request: 31589 author: -type: changed \ No newline at end of file +type: changed -- GitLab From ee55c392fea76732afecfb025157bb69a49bb296 Mon Sep 17 00:00:00 2001 From: Fabien Catteau Date: Wed, 13 May 2020 12:04:39 +0200 Subject: [PATCH 4/4] Update SAST template spec Update spec for SAST CI config template. --- .../gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb b/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb index b51f72d9c389ff..d1ebc0e57822a9 100644 --- a/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb +++ b/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb @@ -33,7 +33,11 @@ allow(License).to receive(:current).and_return(license) end - context 'by default' do + context 'when SAST_DISABLE_DIND=false' do + before do + create(:ci_variable, project: project, key: 'SAST_DISABLE_DIND', value: 'false') + end + it 'includes orchestrator job' do expect(build_names).to match_array(%w[sast]) end @@ -49,11 +53,7 @@ end end - context 'when SAST_DISABLE_DIND=true' do - before do - create(:ci_variable, project: project, key: 'SAST_DISABLE_DIND', value: 'true') - end - + context 'by default' do describe 'language detection' do using RSpec::Parameterized::TableSyntax -- GitLab