# -*- coding: utf-8 -*-
image: alpine:latest
variables:
DOCKER_DRIVER: overlay2
#Dependency Scan remote is ULTIMATE GOLD only Gemnasiumでのライブラリ脆弱性
DEP_SCAN_DISABLE_REMOTE_CHECKS: local
#SAST_CONFIDENCE_LEVEL: 1 #低リスクも挙がる
GITLAB_FEATURES: "$GITLAB_FEATURES container_scanning dependency_scanning license_scanning sast "
SAST_BANDIT_EXCLUDED_PATHS: "node_modules/*, src/lib/*"
#SECRET_DETECTION_HISTORIC_SCAN: "true" # 時間を掛けて履歴もチェック
stages:
- build
- test
- deploy # for Pages # dummy stage to follow the template guidelines
# - review
- dast
# - staging
# - canary
# - production
# - incremental rollout 10%
# - incremental rollout 25%
# - incremental rollout 50%
# - incremental rollout 100%
# - performance
# - cleanup
include:
- template: Jobs/Build.gitlab-ci.yml
# - template: Jobs/Test.gitlab-ci.yml
- template: Jobs/Code-Quality.gitlab-ci.yml
- template: Jobs/Code-Intelligence.gitlab-ci.yml
# - template: Jobs/Deploy.gitlab-ci.yml
# - template: Jobs/Browser-Performance-Testing.gitlab-ci.yml
# - template: Security/DAST.gitlab-ci.yml
#コンテナではない - template: Security/Container-Scanning.gitlab-ci.yml
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
- template: Jobs/License-Scanning.gitlab-ci.yml
- template: Jobs/SAST.gitlab-ci.yml
# - template: Jobs/Code-Intelligence.gitlab-ci.yml #for go
- template: Jobs/Secret-Detection.gitlab-ci.yml
# - template: Security/Secure-Binaries.gitlab-ci.yml # GitLabのScecureプロダクトのDockerイメージをローカルに持ってくる
# https://docs.gitlab.com/ee/ci/caching/#inherit-global-configuration-but-override-specific-settings-per-job
.cache: &default_cache
key:
files:
- package-lock.json
#npm-$CI_COMMIT_REF_SLUG
paths:
- .npm/
- node_modules/
policy: pull #pull-push
.owasp_cache: &owasp_cache
key: OWASP
paths:
- data/
policy: pull-push
when: 'always' #OWASPが自動更新するので (default)on_success
build: #上書きと追加項目
image: "node:alpine" #11.10.1-alpine <- alpine:2.9
tags:
- Docker
needs: []
cache:
<<: *default_cache
policy: pull-push #Use npm cache & create node_modules
script:
- |
function install_crxmake() {
apk add --no-cache ruby zip #ruby-dev openssl-dev gcc musl-dev make
export PATH=`gem environment gempath|sed 's/:.*$//'`/bin:$PATH
gem install --user-install --no-document crxmake #ruby-rdocパッケージいれず-no-..
#gem install --user-install --no-document openssl_pkcs8 #Chrome WebStore need PKCS8
}
function build() {
install_crxmake
if [ -n "$PRIVATE_KEY" -a ! -f src.pem ];then
# 正式版の鍵があれば使う 上書きしない
cp "$PRIVATE_KEY" src.pem
fi
./build.sh
}
build
artifacts:
paths:
- ${CI_PROJECT_NAME}.zip
#コードインテリジェンス https://docs.gitlab.com/ee/user/project/code_intelligence.html
code_intelligence_ts:
stage: deploy
needs: [ build ]
allow_failure: true # recommended
image: "node:alpine" #11.10.1-alpine <- alpine:2.9
cache:
<<: *default_cache
rules:
- if: $CODE_INTELLIGENCE_DISABLED
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.ts'
script:
- npx lsif-tsc --project ./tsconfig.json --out dump.lsif
artifacts:
reports:
lsif: dump.lsif
code_quality: #STARTER BRONZE->CORE FREE
services: # Shut off Docker-in-Docker
tags:
- cq-sans-dind
code_quality_html:
extends: code_quality
services: # Shut off Docker-in-Docker
tags:
- cq-sans-dind
variables:
REPORT_FORMAT: html
artifacts:
paths: [gl-code-quality-report.html]
code_quality_eslint:
image: node:alpine
needs: [ build ]
cache:
<<: *default_cache
policy: pull #Not update
script:
- npx eslint src --ext ts --format gitlab
artifacts:
reports:
codequality: gl-code-quality.json
# コンテナではない
# container_scanning: #Docker image形式を検査する
# tags: #追加項目
# - DinD
# needs: []
# artifacts:
# expose_as: 'Container Scanning Report JSON'
# paths:
# - gl-container-scanning-report.json
dependency_scanning: #ULTIMATE GOLD
tags: #追加項目
- DinD
needs: []
artifacts:
# *ファイル名には使えない expose_as: "Dependency JSON"
paths:
- "**/cyclonedx-*.json"
- "gl-dependency-scanning-report.json"
license_scanning: #ULTIMATE GOLD
tags: #追加項目
- DinD
needs: []
artifacts:
expose_as: "License Scanning Report json"
paths: [ "gl-license-scanning-report.json", "gl-license-scanning-report.html", $LM_REPORT_FILE ]
secret_detection:
tags: #追加項目
- DinD
variables:
SECRET_DETECTION_EXCLUDED_PATHS: "src/lib/ipag00303/ipag-ttf.js" # カンマ区切りでglab
artifacts:
expose_as: "Secret detection JSON"
paths:
- "gl-secret-detection-report.json"
sast: #ULTIMATE GOLD->CORE FREE(ESLint)
#SAST_CONFIDENCE_LEVEL=1で低リスクも挙がる
tags: #追加項目
- DinD
#のこりのテストはreviewが必要
# dast:
# performance:
cov-test:
image: "node:alpine" #15.5.0-alpine3.11
stage: test
needs: [ build ]
cache:
<<: *default_cache
policy: pull #Not update
script:
- npx nyc --reporter cobertura mocha # npm run coverage
artifacts:
reports:
coverage_report:
coverage_format: cobertura
path: coverage/cobertura-coverage.xml
rules:
- if: '$TEST_DISABLED'
when: never
- if: '$CI_COMMIT_BRANCH'
exists:
- .nycrc
pages:
stage: deploy
needs:
- code_quality
- code_quality_html
# - cov-test # This depend on .nycrc
# - container_scanning # $CONTAINER_SCANNING_DISABLED
# - dependency_scanning
- gemnasium-dependency_scanning
# - retire-js-dependency_scanning 15.0で無くなった
- license_scanning
- owasp-dependency-check
# - sast テンプレート Artifactsはすべて gl-sast-report.json
# - brakeman-sast # for Ruby
# - eslint-sast Removed 15.4
# - flawfiinder-sast # for C, C++
# - kubesec-sast
# - mobsf-android-sast
# - mobst-ios-sast
- nodejs-scan-sast
# - phpcs-security-audit-sast
# - pmd-apex-sast # *.cls
# - security-code-scan-sast # *.csproj *.vbproj
- semgrep-sast # python, JavaScript, TypeScript Go Java C# HTML
# - sobelow-sast # mix.exs
# - spotbugs-sast # groovy scala kt
script:
- |
mkdir .public
cp -r -p \
gl-code-quality-report.json \
gl-code-quality-report.html \
coverage/cobertura-coverage.xml \
gl-container-scanning-report.json \
gl-dependency-scanning-report.json \
gl-license-scanning-report.html \
gl-sast-report.json \
report \
.public/ || true
echo "