|
1 | | -## Integration with Gitlab CI |
| 1 | +# Integration with GitLab CI |
2 | 2 |
|
3 | | -ShiftLeft Scan scanning is available for all GitLab CI users including the free users. Simply add the below section to your `.gitlab-ci.yml` file |
| 3 | +ShiftLeft Scan is available for all GitLab CI users including the free users. In addition, it is possible to configure scan to add notes/comments to merge requests. |
| 4 | + |
| 5 | +Simply add the below section to your `.gitlab-ci.yml` file |
4 | 6 |
|
5 | 7 | ```yaml |
6 | 8 | job: |
|
22 | 24 | name: shiftleft/sast-scan |
23 | 25 | script: |
24 | 26 | - scan --src ${CI_PROJECT_DIR} --type credscan,python,depscan --out_dir ${CI_PROJECT_DIR}/reports |
| 27 | + rules: |
| 28 | + - when: always |
25 | 29 | artifacts: |
26 | 30 | name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME" |
27 | 31 | paths: |
|
42 | 46 | name: shiftleft/sast-scan |
43 | 47 | script: |
44 | 48 | - scan --build --src ${CI_PROJECT_DIR} --type credscan,java,depscan --out_dir ${CI_PROJECT_DIR}/reports |
| 49 | + rules: |
| 50 | + - when: always |
| 51 | + artifacts: |
| 52 | + name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME" |
| 53 | + paths: |
| 54 | + - $CI_PROJECT_DIR/reports/ |
| 55 | + when: always |
| 56 | +``` |
| 57 | + |
| 58 | +## Merge Request comment feature |
| 59 | + |
| 60 | + |
| 61 | +Set the following Repository variables to enable merge request notes/comment feature. |
| 62 | + |
| 63 | +- `SCAN_ANNOTATE_PR` to `true` |
| 64 | +- GITLAB_TOKEN - Personal access token belonging to a user with `api` scope. Best is to create a separate build user and a token |
| 65 | +- GITHUB_TOKEN - To enable dependency and licence scanning |
| 66 | + |
| 67 | +Below are the full configuration and example screenshots: |
| 68 | + |
| 69 | +```yaml |
| 70 | +variables: |
| 71 | + GITHUB_TOKEN: $GITHUB_TOKEN |
| 72 | + GITLAB_TOKEN: $GITLAB_TOKEN |
| 73 | + SCAN_ANNOTATE_PR: "true" |
| 74 | +
|
| 75 | +scan: |
| 76 | + stage: test |
| 77 | + image: |
| 78 | + name: shiftleft/sast-scan:gl-insights |
| 79 | + script: |
| 80 | + - scan --src ${CI_PROJECT_DIR} --type python,depscan --out_dir ${CI_PROJECT_DIR}/reports |
| 81 | + rules: |
| 82 | + - when: always |
45 | 83 | artifacts: |
46 | 84 | name: "$CI_JOB_NAME-$CI_COMMIT_REF_NAME" |
47 | 85 | paths: |
48 | 86 | - $CI_PROJECT_DIR/reports/ |
49 | 87 | when: always |
50 | 88 | ``` |
| 89 | + |
| 90 | + |
| 91 | + |
| 92 | +To customize the message used for the comment, create a .sastscanrc file in the repo as suggested [here](tips.md) with the below config. |
| 93 | + |
| 94 | +```json |
| 95 | +{ |
| 96 | + "PR_COMMENT_TEMPLATE": "## ShiftLeft Scan Summary\n%(summary)s\n## Recommendation\n%(recommendation)s\n" |
| 97 | +} |
| 98 | +``` |
| 99 | + |
| 100 | +- summary - Summary Table |
| 101 | +- recommendation - One liner recommendation string (Hardcoded for now) |
0 commit comments