-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path.gitlab-ci.yml
334 lines (310 loc) · 9.92 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
# -*- coding: utf-8 -*-
image: alpine:latest
variables:
DOCKER_DRIVER: overlay2
#Dependency Scan remote is ULTIMATE GOLD only Gemnasiumでのライブラリ脆弱性
DEP_SCAN_DISABLE_REMOTE_CHECKS: local
#SAST_CONFIDENCE_LEVEL: 1 #低リスクも挙がる
GITLAB_FEATURES: "$GITLAB_FEATURES container_scanning dependency_scanning license_scanning sast "
SAST_BANDIT_EXCLUDED_PATHS: "node_modules/*, src/lib/*"
#SECRET_DETECTION_HISTORIC_SCAN: "true" # 時間を掛けて履歴もチェック
stages:
- build
- test
- deploy # for Pages # dummy stage to follow the template guidelines
# - review
- dast
# - staging
# - canary
# - production
# - incremental rollout 10%
# - incremental rollout 25%
# - incremental rollout 50%
# - incremental rollout 100%
# - performance
# - cleanup
include:
- template: Jobs/Build.gitlab-ci.yml
# - template: Jobs/Test.gitlab-ci.yml
- template: Jobs/Code-Quality.gitlab-ci.yml
- template: Jobs/Code-Intelligence.gitlab-ci.yml
# - template: Jobs/Deploy.gitlab-ci.yml
# - template: Jobs/Browser-Performance-Testing.gitlab-ci.yml
# - template: Security/DAST.gitlab-ci.yml
#コンテナではない - template: Security/Container-Scanning.gitlab-ci.yml
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
- template: Jobs/License-Scanning.gitlab-ci.yml
- template: Jobs/SAST.gitlab-ci.yml
# - template: Jobs/Code-Intelligence.gitlab-ci.yml #for go
- template: Jobs/Secret-Detection.gitlab-ci.yml
# - template: Security/Secure-Binaries.gitlab-ci.yml # GitLabのScecureプロダクトのDockerイメージをローカルに持ってくる
# https://docs.gitlab.com/ee/ci/caching/#inherit-global-configuration-but-override-specific-settings-per-job
.cache: &default_cache
key:
files:
- package-lock.json
#npm-$CI_COMMIT_REF_SLUG
paths:
- .npm/
- node_modules/
policy: pull #pull-push
.owasp_cache: &owasp_cache
key: OWASP
paths:
- data/
policy: pull-push
when: 'always' #OWASPが自動更新するので (default)on_success
build: #上書きと追加項目
image: "node:alpine" #11.10.1-alpine <- alpine:2.9
tags:
- Docker
needs: []
cache:
<<: *default_cache
policy: pull-push #Use npm cache & create node_modules
script:
- |
function install_crxmake() {
apk add --no-cache ruby zip #ruby-dev openssl-dev gcc musl-dev make
export PATH=`gem environment gempath|sed 's/:.*$//'`/bin:$PATH
gem install --user-install --no-document crxmake #ruby-rdocパッケージいれず-no-..
#gem install --user-install --no-document openssl_pkcs8 #Chrome WebStore need PKCS8
}
function build() {
install_crxmake
if [ -n "$PRIVATE_KEY" -a ! -f src.pem ];then
# 正式版の鍵があれば使う 上書きしない
cp "$PRIVATE_KEY" src.pem
fi
./build.sh
}
build
artifacts:
paths:
- ${CI_PROJECT_NAME}.zip
#コードインテリジェンス https://docs.gitlab.com/ee/user/project/code_intelligence.html
code_intelligence_ts:
stage: deploy
needs: [ build ]
allow_failure: true # recommended
image: "node:alpine" #11.10.1-alpine <- alpine:2.9
cache:
<<: *default_cache
rules:
- if: $CODE_INTELLIGENCE_DISABLED
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.ts'
script:
- npx lsif-tsc --project ./tsconfig.json --out dump.lsif
artifacts:
reports:
lsif: dump.lsif
code_quality: #STARTER BRONZE->CORE FREE
services: # Shut off Docker-in-Docker
tags:
- cq-sans-dind
code_quality_html:
extends: code_quality
services: # Shut off Docker-in-Docker
tags:
- cq-sans-dind
variables:
REPORT_FORMAT: html
artifacts:
paths: [gl-code-quality-report.html]
code_quality_eslint:
image: node:alpine
needs: [ build ]
cache:
<<: *default_cache
policy: pull #Not update
script:
- npx eslint src --ext ts --format gitlab
artifacts:
reports:
codequality: gl-code-quality.json
# コンテナではない
# container_scanning: #Docker image形式を検査する
# tags: #追加項目
# - DinD
# needs: []
# artifacts:
# expose_as: 'Container Scanning Report JSON'
# paths:
# - gl-container-scanning-report.json
dependency_scanning: #ULTIMATE GOLD
tags: #追加項目
- DinD
needs: []
artifacts:
# *ファイル名には使えない expose_as: "Dependency JSON"
paths:
- "**/cyclonedx-*.json"
- "gl-dependency-scanning-report.json"
license_scanning: #ULTIMATE GOLD
tags: #追加項目
- DinD
needs: []
artifacts:
expose_as: "License Scanning Report json"
paths: [ "gl-license-scanning-report.json", "gl-license-scanning-report.html", $LM_REPORT_FILE ]
secret_detection:
tags: #追加項目
- DinD
variables:
SECRET_DETECTION_EXCLUDED_PATHS: "src/lib/ipag00303/ipag-ttf.js" # カンマ区切りでglab
artifacts:
expose_as: "Secret detection JSON"
paths:
- "gl-secret-detection-report.json"
sast: #ULTIMATE GOLD->CORE FREE(ESLint)
#SAST_CONFIDENCE_LEVEL=1で低リスクも挙がる
tags: #追加項目
- DinD
#のこりのテストはreviewが必要
# dast:
# performance:
cov-test:
image: "node:alpine" #15.5.0-alpine3.11
stage: test
needs: [ build ]
cache:
<<: *default_cache
policy: pull #Not update
script:
- npx nyc --reporter cobertura mocha # npm run coverage
artifacts:
reports:
coverage_report:
coverage_format: cobertura
path: coverage/cobertura-coverage.xml
rules:
- if: '$TEST_DISABLED'
when: never
- if: '$CI_COMMIT_BRANCH'
exists:
- .nycrc
pages:
stage: deploy
needs:
- code_quality
- code_quality_html
# - cov-test # This depend on .nycrc
# - container_scanning # $CONTAINER_SCANNING_DISABLED
# - dependency_scanning
- gemnasium-dependency_scanning
# - retire-js-dependency_scanning 15.0で無くなった
- license_scanning
- owasp-dependency-check
# - sast テンプレート Artifactsはすべて gl-sast-report.json
# - brakeman-sast # for Ruby
# - eslint-sast Removed 15.4
# - flawfiinder-sast # for C, C++
# - kubesec-sast
# - mobsf-android-sast
# - mobst-ios-sast
- nodejs-scan-sast
# - phpcs-security-audit-sast
# - pmd-apex-sast # *.cls
# - security-code-scan-sast # *.csproj *.vbproj
- semgrep-sast # python, JavaScript, TypeScript Go Java C# HTML
# - sobelow-sast # mix.exs
# - spotbugs-sast # groovy scala kt
script:
- |
mkdir .public
cp -r -p \
gl-code-quality-report.json \
gl-code-quality-report.html \
coverage/cobertura-coverage.xml \
gl-container-scanning-report.json \
gl-dependency-scanning-report.json \
gl-license-scanning-report.html \
gl-sast-report.json \
report \
.public/ || true
echo "<html><header><title>CI Reports ${CI_JOB_ID}</title></header><body>
<ul>" >index.html
(cd .public;
for file in *;do
set +e
[[ -e "$file" ]] && echo '<li><a href="'$file'">'$file'</a></li>' # "
set -e
done )>>index.html
echo '</ul>
</body></html>' >>index.html
mv index.html .public
mv .public public
artifacts:
expose_as: "CI Reports"
paths:
- public
rules:
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
# OSS脆弱性チェック OWASP Dependency Check https://knowledge-swimmer.com/gitlab-ci-owasp-dependency-check
owasp-dependency-check:
stage: test
# only:
# - schedules
needs: [ build ]
image:
name: owasp/dependency-check:latest
entrypoint: [""]
cache:
- <<: *default_cache
- <<: *owasp_cache
script:
- /usr/share/dependency-check/bin/dependency-check.sh --out report
--failOnCVSS 3 --project "OWASP $CI_PROJECT_TITLE" --scan .
--suppression owasp-dependency-check-suppressions.xml
--data data
#--noupdate
allow_failure: true # CIに失敗してもMRをMerge可能なようにする設定
artifacts:
when: on_failure
paths:
- report
rules:
- if: '$TEST_DISABLED'
when: never
- if: '$CI_COMMIT_BRANCH'
reviewdog:
stage: test
needs: [ build ]
image: "node:alpine" #11.10.1-alpine <- alpine:2.9
cache:
<<: *default_cache
allow_failure: true # CIに失敗してもMRをMerge可能なようにする設定
variables:
# see: https://kiririmode.hatenablog.jp/entry/20220327/1648344999
GIT_STRATEGY: clone
GIT_DEPTH: "0"
script:
- |
apk add --no-cache --update git
# apk add --update npm
# npm install # package.jsonに登録したtextlintのインストール
# reviewdogのinstall
# bin/ 以下に実行ファイルがインストールされます
wget -O - -q https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s
# textlintとreviewdogの実行
# *.md ファイルを対象にlinterを実行しています
npx stylelint "src/**/*.css" | bin/reviewdog -f=stylelint -name="stylelint" -reporter=gitlab-mr-discussion || true
npx tsc --pretty false --noEmit |bin/reviewdog -f=tsc -name="tsc" -reporter=gitlab-mr-discussion || true
npx textlint -f checkstyle --no-color "**/*.md" | bin/reviewdog -f=checkstyle -name="textlint" -reporter=gitlab-mr-discussion || true
#npx textlint -f stylish "**/*.md" | bin/reviewdog -f=eslint -name="textlint" -reporter=gitlab-mr-discussion
npx htmlhint -f checkstyle --nocolor "src/**/*.html" | bin/reviewdog -f=checkstyle -name="htmlhint" -reporter=gitlab-mr-discussion || true
rules:
- if: '$BUILD_DISABLED'
when: never
- if: '$AUTO_DEVOPS_PLATFORM_TARGET == "EC2"'
when: never
- if: '( $CI_COMMIT_TAG || $CI_COMMIT_BRANCH ) && $CI_OPEN_MERGE_REQUESTS'
# ---------------------------------------------------------------------------
.auto_devops: &auto_devops |
# Auto DevOps variables and functions
[[ "$TRACE" ]] && set -x
before_script:
- *auto_devops