-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
79 lines (75 loc) · 2.83 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
pages:
stage: deploy
script:
- mkdir .public
- cp -r * .public
- mv .public public
artifacts:
paths:
- public/
only:
- master
variables:
SECURE_ANALYZERS_PREFIX: registry.gitlab.com/security-products
SECRET_DETECTION_IMAGE_SUFFIX: ''
SECRETS_ANALYZER_VERSION: '3'
SECRET_DETECTION_EXCLUDED_PATHS: ''
.secret-analyzer:
stage: test
image: >-
$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION$SECRET_DETECTION_IMAGE_SUFFIX
services: []
allow_failure: false
variables:
GIT_DEPTH: '50'
artifacts:
reports:
secret_detection: gl-secret-detection-report.json
secret_detection:
extends: .secret-analyzer
rules:
- if: $SECRET_DETECTION_DISABLED
when: never
- if: $CI_MERGE_REQUEST_IID
- if: $CI_OPEN_MERGE_REQUESTS
when: never
- if: $CI_COMMIT_BRANCH
script:
- >-
if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags.
No code changes have occurred."; exit 0; fi
- >-
if [ "$SECRET_DETECTION_HISTORIC_SCAN" == "true" ]; then echo "Running
Secret Detection Historic Scan"; /analyzer run; exit; fi
- >-
if [ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]; then echo "Running
Secret Detection on default branch."; /analyzer run; exit; fi
- >
if [ "$CI_COMMIT_BEFORE_SHA" == "0000000000000000000000000000000000000000"
];
then
# first commit on a new branch
echo ${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt
git fetch --depth=2 origin $CI_COMMIT_REF_NAME
else
# determine commit range so that we can fetch the appropriate depth
# check the exit code to determine if we need to limit the commit_list.txt to CI_COMMIT_SHA.
if ! git log --pretty=format:"%H" ${CI_COMMIT_BEFORE_SHA}..${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt;
then
echo "unable to determine commit range, limiting to ${CI_COMMIT_SHA}"
echo ${CI_COMMIT_SHA} >${CI_COMMIT_SHA}_commit_list.txt
else
# append newline to to list since `git log` does not end with a
# newline, this is to keep the log messages consistent
echo >> ${CI_COMMIT_SHA}_commit_list.txt
fi
# we need to extend the git fetch depth to the number of commits + 1 for the following reasons:
# to include the parent commit of the base commit in this MR/Push event. This is needed because
# `git diff -p` needs something to compare changes in that commit against
git fetch --depth=$(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt) + 1)) origin $CI_COMMIT_REF_NAME
fi
echo "scanning $(($(wc -l <${CI_COMMIT_SHA}_commit_list.txt))) commits for
a push event"
export SECRET_DETECTION_COMMITS_FILE=${CI_COMMIT_SHA}_commit_list.txt
- /analyzer run
- rm "$CI_COMMIT_SHA"_commit_list.txt