-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgitlab-safescarf.yml
78 lines (73 loc) · 3.13 KB
/
gitlab-safescarf.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
variables:
SAFESCARF_ENGAGEMENT_PERIOD: 7
SAFESCARF_ENGAGEMENT_STATUS: "In Progress"
SAFESCARF_ENGAGEMENT_BUILD_SERVER: "null"
SAFESCARF_ENGAGEMENT_SOURCE_CODE_MANAGEMENT_SERVER: "null"
SAFESCARF_ENGAGEMENT_ORCHESTRATION_ENGINE: "null"
SAFESCARF_ENGAGEMENT_DEDUPLICATION_ON_ENGAGEMENT: 'false'
SAFESCARF_REIMPORT_DO_NOT_REACTIVATE: 'true'
SAFESCARF_ENGAGEMENT_THREAT_MODEL: 'true'
SAFESCARF_ENGAGEMENT_API_TEST: 'true'
SAFESCARF_ENGAGEMENT_PEN_TEST: 'true'
SAFESCARF_ENGAGEMENT_CHECK_LIST: 'true'
SAFESCARF_URL: $SAFESCARF_URL
SAFESCARF_SCAN_MINIMUM_SEVERITY: "Info"
SAFESCARF_SCAN_ACTIVE: 'true'
SAFESCARF_SCAN_VERIFIED: 'true'
SAFESCARF_SCAN_CLOSE_OLD_FINDINGS: 'true'
SAFESCARF_SCAN_ENVIRONMENT: "Default"
SAFESCARF_WORKFLOW: "feature" # feature, pipeline
MCICD_DOCKERHUB_MIRROR: "dockerhub.devops.telekom.de/"
SAFESCARF_API_IMAGE_NAME: "mtr.devops.telekom.de/secureops/safescarf-connector:1.4.0"
SAFESCARF_TESTING_MODE_ENABLE:
value: 'false'
description: 'Enable upload to SafeSCARF testing mode'
DELAY_IN_MINUTES:
value: '3'
description: 'How old should be scan upload to pass the test'
safescarf_verify_mandatory:
stage: .pre
image: ${MCICD_DOCKERHUB_MIRROR}alpine:3
script:
- if [ -z "$SAFESCARF_URL" ]; then echo "SAFESCARF_URL ist nicht gesetzt"; exit 1; fi
- if [ -z "$SAFESCARF_TOKEN" ]; then echo "SAFESCARF_TOKEN ist nicht gesetzt"; exit 1; fi
- if [ -z "$SAFESCARF_PRODUCT_ID" ]; then echo "SAFESCARF_PRODUCT_ID not set"; exit 1; fi
safescarf_create_engagement:
stage: .pre
image:
name: $SAFESCARF_API_IMAGE_NAME
entrypoint: [""]
needs: [ "safescarf_verify_mandatory" ]
variables:
GIT_STRATEGY: none
allow_failure: true
before_script:
- apk add coreutils
- TODAY=`date +%Y-%m-%d`
- ENDDAY=$(date -d "+${SAFESCARF_ENGAGEMENT_PERIOD} days" +%Y-%m-%d)
script:
- python /app/safescarf-connector.py --workflow ${SAFESCARF_WORKFLOW} --environment ${SAFESCARF_SCAN_ENVIRONMENT} create-engagement
artifacts:
reports:
dotenv: safescarf.env
safescarf_publish:
stage: .post
image:
name: $SAFESCARF_API_IMAGE_NAME
entrypoint: [""]
rules:
- when: never
before_script:
- apk add --no-cache coreutils
- TODAY=`date +%Y-%m-%d`
script:
- echo "$CI_JOB_NAME is used for configuration only, and its script should not be executed"
- exit 1
# Template Job for publishing the SAST reports to safescarf
.safescarf_upload:
extends: safescarf_publish
allow_failure: true
script:
- ls -lah ${SAFESCARF_SCAN_FILE}
- python /app/safescarf-connector.py --workflow ${SAFESCARF_WORKFLOW} --environment "${SAFESCARF_SCAN_ENVIRONMENT}" --engagement-id ${SAFESCARF_ENGAGEMENT_ID} --product-id ${SAFESCARF_PRODUCT_ID} --scan-type "${SAFESCARF_SCAN_TYPE}" --name "${SAFESCARF_SCAN_TITLE}" --commit-hash "${CI_COMMIT_SHORT_SHA}" --build-id "${CI_PIPELINE_ID}" --do-not-reactivate "${SAFESCARF_REIMPORT_DO_NOT_REACTIVATE}" --tags "${SAFESCARF_TAGS}" upload "${SAFESCARF_SCAN_FILE}"
- python /app/safescarf-upload-testing.py ${SAFESCARF_TOKEN} ${SAFESCARF_ENGAGEMENT_ID} "${SAFESCARF_SCAN_TITLE}" ${DELAY_IN_MINUTES} ${SAFESCARF_URL}