Commit 60adf193 authored by SBassett's avatar SBassett
Browse files

Update "default" Wikimedia semgrep SAST image

parent 19429f71
Pipeline #1427 passed with stage
in 46 seconds
semgrep_check::
image: returntocorp/semgrep-agent:v1
image: docker-registry.wikimedia.org/${WM_APPSEC_SEMGREP_IMAGE}
stage: test
allow_failure: false
allow_failure: false # security-related job should not be allowed to fail
variables:
SEMGREP_RULES: >- # more at semgrep.dev/explore
p/security-audit
p/secrets
SEMGREP_OPTIONS: "--config=p/ci --config=/p/security-audit --metrics=off --time --verbose --exclude=vendor --exclude=node_modules"
before_script:
- apt-get update -yqq && apt-get install -yqq git
- python3 -m pip install --upgrade semgrep
- |
# check if alternative npm audit options were specified calling gitlab-ci.yml file
if [ ! -z ${WM_APPSEC_SEMGREP_OPTIONS} ]; then
SEMGREP_OPTIONS=${WM_APPSEC_SEMGREP_OPTIONS}
fi
# create a new package lock file, run auditjs
script:
- semgrep ${SEMGREP_OPTIONS}
# Upload findings to GitLab SAST Dashboard (remove `script:` line above) [step 2/2]
# optional artifact reports - not necessary for now
# script: semgrep-agent --gitlab-json > gl-sast-report.json || true
# artifacts:
# reports:
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment