InsecureRestAPI/.gitlab-ci.yml at main · kadraman/InsecureRestAPI · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
#
# An example GitLab CI/CD pipeline configuration file for a Python application yhat includes build, test, deploy and
#   - OpenText Application Security Core (FoD) SAST/DAST/SCA scans ... or
#   - OpenText Application Security (ScanCentral) SAST/DAST scans
#   - OpenText SCA Core (Debricked) ... or
#   - Sonatype Lifecycle (Nexus IQ Server)
#
# This pipeline uses the Fortify fcli tool and GitLab CI/CD Components (https://gitlab.com/Fortify/components)
#
# If using OpenText Application Security Core (FoD) set the following variables in your GitLab project/organisation:
#   - FOD_URL: Fortify on Demand URL (e.g., https://ams.fortify.com)
#   - FOD_API_URL: Fortify API URL (e.g., https://api.ams.fortify.com)
#   - FOD_CLIENT_ID: Fortify on Demand Client ID
#   - FOD_CLIENT_SECRET: Fortify on Demand Client Secret
#   - FOD_APP_NAME_POSTFIX: Optional postfix for the application name
#
# If using OpenText Application Security (ScanCentral) set the following variables in your GitLab project/organisation:
#   - SSC_URL: Software Security Center URL (e.g. https://ssc.customer.fortifyhosted.net/)
#   - SSC_TOKEN: Sofware Security Center CIToken
#   - SC_SAST_TOKEN: ScanCentral SAST Client Authentication Token
#   - SSC_APP_NAME_POSTFIX: Optional postfix for the application name
#   - SCDAST_SETTINGS_ID: Optional ScanCentral DAST Settings Id for DAST scan to run
#
# If using Sonatype Lifecycle (Nexus IQ Server) set the following variables in your GitLab project/organisation:
#   - NEXUS_IQ_URL: Nexus IQ Server URL
#   - NEXUS_IQ_USERNAME: Nexus IQ Username
#   - NEXUS_IQ_PASSWORD: Nexus IQ Password
#
# If using OpenText SCA Core (Debricked) set the following variables in your GitLab project/organisation:
#   - DEBRICKED_TOKEN: Debricked Access Token
#
# These variables are used to control which jobs to run
#


spec:
  inputs:
    debug:
      default: false
      type: boolean

---

image: node:20    # default image to use for the pipeline

stages:
  - build
  - dockerize
  - test
  - deploy
  - scan

workflow:
  rules:
    # Only run the pipeline for merge requests and pushes to branches (not both when a merge request is open)
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS
      when: never
    - if: $CI_COMMIT_BRANCH

variables:
  DEFAULT_APP_NAME: "InsecureRestAPI"
  DEFAULT_PARENT_RELEASE_NAME: "main"
  DEFAULT_PARENT_APPVERSION_NAME: "main"
  DEFAULT_RELEASE_NAME: "${CI_COMMIT_BRANCH}"
  DEFAULT_APPVERSION_NAME: "${CI_COMMIT_BRANCH}"
  DEFAULT_SONATYPE_IQ_APPLICATION_ID: "insecurerestapi"
  IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA

# use a cache for Python .venv and deps
cache:
  key: ${CI_COMMIT_REF_SLUG}
  paths:
    - node_modules

# include CI/CD components and jobs depending on what we want to run
# there are lots of conditional includes based on CI/CD variables to ensure only jobs required are run
include:
  # include fortify jobs
  - component: $CI_SERVER_FQDN/Fortify/components/fcli/linux@main
    inputs:
      stage: scan                # Stage in which to run the fcli commands
  - component: $CI_SERVER_FQDN/Fortify/components/ast-scan/linux@main
    inputs:
      job-name: fortify-sast-scan # Optional job name used for running the AST scan, defaults to 'fortify-ast-scan'
      stage: scan                 # Stage in which to run the AST scan, defaults to 'test'
    rules:
      - if: ( $SSC_URL != null || $SSC_URL =~ /^./ )
      - if: ( $FOD_URL != null || $FOD_URL =~ /^./ )
  # include Sonatype Nexus IQ jobs if NEXUS_IQ_URL is defined
  - component: $CI_SERVER_FQDN/sonatype-integrations/components/evaluate-sbom@main
    inputs:
      application-id: $DEFAULT_SONATYPE_IQ_APPLICATION_ID
      scan-targets:
        - package-lock.json
      result-file: evaluation-result.json
      report-name: evaluation-report.html
      sbom-standard: cycloneDx
      sbom-version: "1.5"
      ignore-system-errors: true
    rules:
      - if: ( $NEXUS_IQ_URL != null || $NEXUS_IQ_URL =~ /^./ )
  # include Debricked jobs if $DEBRICKED_TOKEN is defined
  - local: etc/gitlab-debricked.yml
    rules:
      - if: ( $DEBRICKED_TOKEN != null || $DEBRICKED_TOKEN =~ /^./ )
  # include FoD jobs is $FOD_URL is defined
  - local: etc/gitlab-fod.yml
    rules:
      - if: ( $FOD_URL != null || $FOD_URL =~ /^./ )
  # include ScanCentral jobs if $SSC_URL is defined
  - local: etc/gitlab-scancentral.yml
    rules:
      - if: ( $SSC_URL != null || $SSC_URL =~ /^./ )


# Set fcli job to "never run" as it will be extended by other jobs included
fcli:
  stage: scan
  rules:
    - when: never


# This is a sample job to build the application. You can replace it with your actual build job.
npm-build:
  stage: build
  before_script:
    - npm i
  script:
    - echo "Building the application..."
    - npm run swagger
    - npm run build
  artifacts:
    paths:
      - dist

# This is a sample job to test a Node application using jest. You can replace it with your actual test job.
npm-test:
  stage: test
  before_script:
    - npm i
  script:
    - echo "Testing the application..."
    - npm run test
  artifacts:
    when: always
    reports:
      junit:
        - junit.xml

# This is a sample job to build the application into a Docker image and push it to the GitLab Container Registry
docker-build:
  stage: dockerize
  image: docker:latest
  dependencies:
    - npm-build
  services:
    - docker:dind
  before_script:
    - echo $CI_JOB_TOKEN | docker login -u gitlab-ci-token --password-stdin $CI_REGISTRY
    - echo $IMAGE_TAG
  script:
    - docker build -t $IMAGE_TAG .
    - docker push $IMAGE_TAG
  rules:
    - if: $CI_COMMIT_BRANCH == "main"

# This job runs Sonatype Nexus IQ evaluation on the Docker image built in the docker-build job.
sonatype-docker-scan:
  stage: test
  image: docker:latest
  services:
    - docker:dind
  needs:
  - job: docker-build
  before_script:
    - echo $CI_JOB_TOKEN | docker login -u gitlab-ci-token --password-stdin $CI_REGISTRY
    - echo $IMAGE_TAG
    - docker pull $IMAGE_TAG
    - export NEXUS_CONTAINER_IMAGE_REGISTRY_USER=gitlab-ci-token
    - export NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD=$CI_JOB_TOKEN
    - export NEXUS_CONTAINER_INCLUDE_ONLY_OS_COMPONENTS=true
  script:
    - |
      docker run -v /tmp:/tmp -v $CI_PROJECT_DIR:/sonatype/reports -v /var/run/docker.sock:/var/run/docker.sock \
      -e NEXUS_IQ_URL -e NEXUS_IQ_USERNAME -e NEXUS_IQ_PASSWORD -e NEXUS_CONTAINER_IMAGE_REGISTRY_USER -e NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD \
      sonatype/gitlab-nexus-iq-pipeline:latest /sonatype/evaluate -i $DEFAULT_SONATYPE_IQ_APPLICATION_ID -t stage-release container:$IMAGE_TAG
  artifacts:
    paths:
      - $CI_PROJECT_DIR/$CI_PROJECT_NAME-policy-eval-report.html
  rules:
    - if: $CI_COMMIT_BRANCH == "main"

# This is a sample job to deploy the application. You can replace it with your actual deploy job.
deploy:
  stage: deploy
  script:
    - echo "Deploying the application..."
  rules:
  - if: $CI_COMMIT_BRANCH == "main"