feat(ci): add sast and qa jobs

2023-07-14 02:07:31 +02:00 · 2023-07-14 02:07:31 +02:00 · eb67674da0
commit eb67674da0
parent 0200dce71b
3 changed files with 104 additions and 40 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -4,12 +4,10 @@ stages:
  - deps
  - build
  - sast
+  - qa
  - image
+  - container_scanning

-before_script:
-  - export GOPATH="$CI_PROJECT_DIR/.go"
-  - mkdir -p .go
-  - mkdir -p deploy

 cache:
  paths:
@ -20,16 +18,58 @@ cache:
 include:
  - '.gitlab-ci/build.yml'
  - '.gitlab-ci/image.yml'
+  - template: SAST.gitlab-ci.yml
+  - template: Security/License-Scanning.gitlab-ci.yml
+  - template: Security/Secret-Detection.gitlab-ci.yml
+  - template: Security/Container-Scanning.gitlab-ci.yml
+
+.scanners-matrix:
+  parallel:
+    matrix:
+      - IMAGE_NAME: [checker, admin, evdist, frontend-ui, nginx, dashboard, repochecker, qa, receiver]
+
+container_scanning:
+  stage: container_scanning
+  extends:
+    - .scanners-matrix
+  variables:
+    DOCKER_SERVICE: localhost
+    DOCKERFILE_PATH: Dockerfile-${IMAGE_NAME}
+    CI_APPLICATION_REPOSITORY: ${CI_REGISTRY_IMAGE}/${CI_COMMIT_REF_SLUG}/${IMAGE_NAME}
+    CI_APPLICATION_TAG: latest
+    GIT_STRATEGY: fetch
+  before_script:
+    - 'echo "Scanning: ${IMAGE_NAME}"'
+  rules:
+    - if: '$CI_COMMIT_BRANCH == "master"'
+
+sast:
+  stage: sast
+  interruptible: true
+  needs: []
+
+secret_detection:
+  stage: sast
+  interruptible: true
+  needs: []
+
+license_scanning:
+  stage: qa
+  interruptible: true
+  needs: []

 get-deps:
  stage: deps
  image: golang:alpine3.18
+  before_script:
+    - export GOPATH="$CI_PROJECT_DIR/.go"
+    - mkdir -p .go
  script:
    - apk --no-cache add git
    - go get -v -d srs.epita.fr/fic-server/admin
-    - go get -v -d srs.epita.fr/fic-server/backend
+    - go get -v -d srs.epita.fr/fic-server/checker
+    - go get -v -d srs.epita.fr/fic-server/receiver
    - go get -v -d srs.epita.fr/fic-server/evdist
-    - go get -v -d srs.epita.fr/fic-server/frontend
    - go get -v -d srs.epita.fr/fic-server/dashboard
    - go get -v -d srs.epita.fr/fic-server/repochecker
    - go get -v -d srs.epita.fr/fic-server/repochecker/epita
@ -45,6 +85,9 @@ vet:
  dependencies:
    - build-qa-ui
  image: golang:alpine3.18
+  before_script:
+    - export GOPATH="$CI_PROJECT_DIR/.go"
+    - mkdir -p .go
  script:
    - apk --no-cache add build-base
    - go vet -v -buildvcs=false -tags gitgo srs.epita.fr/fic-server/admin
@ -52,9 +95,9 @@ vet:
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/admin/sync
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/admin/pki
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/admin
-    - go vet -v -buildvcs=false srs.epita.fr/fic-server/backend
+    - go vet -v -buildvcs=false srs.epita.fr/fic-server/checker
+    - go vet -v -buildvcs=false srs.epita.fr/fic-server/receiver
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/evdist
-    - go vet -v -buildvcs=false srs.epita.fr/fic-server/frontend
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/dashboard
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/repochecker
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/repochecker/epita
@ -64,4 +107,3 @@ vet:
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/repochecker/videos
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/qa
    - go vet -v -buildvcs=false srs.epita.fr/fic-server/settings
-