Configure SAST in `.gitlab-ci.yml`, creating this file if it does not already exist

b0514470 · Mayr, Hannes · 34c41e19 · b0514470
Commit b0514470 authored Sep 27, 2022 by Mayr, Hannes
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
-# This file is a template, and might need editing before it works on your project.
-# To contribute improvements to CI/CD templates, please follow the Development guide at:
-# https://docs.gitlab.com/ee/development/cicd/templates.html
-# This specific template is located at:
-# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Python.gitlab-ci.yml
-
-# Official language image. Look for the different tagged releases at:
-# https://hub.docker.com/r/library/python/tags/
+# You can override the included template(s) by including variable overrides
+# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
+# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
+# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
+# Note that environment variables can be set in several places
+# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
 image: python:latest
-
 stages:
 - linting
 - testing
 - docs
-
-# Change pip's cache directory to be inside the project directory since we can
-# only cache local items.
+- test
 variables:
  PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
-
-# Pip's cache doesn't store the python packages
-# https://pip.pypa.io/en/stable/reference/pip_install/#caching
-#
-# If you want to also cache the installed packages, you have to install
-# them in a virtualenv and cache it as well.
 cache:
  paths: 
-#    - .cache/pip  # 
-#    - venv/   #
-
-  
 before_script:
-  - python --version  # For debugging
-  - pip install -r requirements.txt  # install dependencies from file
-#  - pip install virtualenv
-#  - virtualenv venv
-#  - source venv/bin/activate
-
+- python --version
+- pip install -r requirements.txt
 PEP8:
  stage: linting
  script:
  - pip install flake8
-    - flake8 --count . # PEP8 linting
-
-
+  - flake8 --count .
 Pylint:
  stage: linting
-  # allow_failure: true
  script:
  - pip install pylint
-    - find . -type f -name '*.py' | xargs pylint -rn --rcfile='plotid/.pylintrc' # Find all python files and check the code with pylint.
-
+  - find . -type f -name '*.py' | xargs pylint -rn --rcfile='plotid/.pylintrc'
 test:
  stage: testing
  tags:
  - docker
  script:
-#     - python -m unittest discover -s ./tests/ -p "test*" # deprecated unittest command
  - python tests/runner_tests.py
-  coverage: '/TOTAL.*\s+(\d+\.\d+%)$/'
-#    - pip install tox flake8  # you can also use tox
-#    - tox -e py36,flake8
-
+  coverage: "/TOTAL.*\\s+(\\d+\\.\\d+%)$/"
 pages:
  stage: docs
  script:
-  - pip install -U sphinx sphinx-autoapi sphinx_rtd_theme myst-parser # sphinx_panels
+  - pip install -U sphinx sphinx-autoapi sphinx_rtd_theme myst-parser
  - cd docs
  - make html
  - mv build/html/ ../public
@@ -72,17 +46,11 @@ pages:
    paths:
    - public
  rules:
-   - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
+  - if: "$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH"
  - when: manual
-
-# Commenting out all other stages and jobs
-#run:
-#  script:
-#    - python setup.py bdist_wheel
-#    # an alternative approach is to install and run:
-#    - pip install dist/*
-#    # run the command here
-#  artifacts:
-#    paths:
-#      - dist/*.whl
-
+sast:
+  variables:
+    SAST_EXCLUDED_PATHS: spec, test, tmp
+  stage: test
+include:
+- template: Security/SAST.gitlab-ci.yml