Skip to main content

GitLab CI

Out-of-the-box, DerScanner supports a webhook integration with GitLab, that will be sufficient to launch scans on conditions (learn more in VCS Hostings).

If you want to build DerScanner into your GitLab CI to serve as a Quality Gate, it requires a more thorough setup through scripting.

Integration example:

default:
  image: maven:3.6.3-openjdk-11
  tags:
    - docker
  before_script:
    - echo ${DNS_RECORD} >> /etc/hosts

stages:
  - build
  - sast:stage:1
  - sast:stage:2
  - sast:stage:3
  - sast:stage:4
  - deploy

variables:
  MIN_RATING: "3.0"

mvn:build:
  stage: build
  script:
    - mvn clean package
    - curl -L ${CLT_URL} -o clt.jar
  artifacts:
    paths:
      - target/*.war
      - clt.jar

derscanner:start_scan:
  stage: sast:stage:1
  script:
    - >-
      java -jar clt.jar
      -rest ${REST}
      -token ${TOKEN} start
      -type FILE
      -path target/*.war
      -name ${CI_PROJECT_NAME}:${CI_COMMIT_REF_SLUG}
      -languages JAVA,CONFIG | tee metainf
    - echo "PROJECT_UUID=$(grep -oE 'Project.*' metainf | cut -d' ' -f3)" >> build.env
    - echo "SCAN_UUID=$(grep -oE 'Scan.*' metainf | cut -d' ' -f3)" >> build.env
  artifacts:
    reports:
      dotenv: build.env

derscanner:status_scan:
  stage: sast:stage:2
  timeout: 1 hours 30 minutes
  script:
    - >-
      until java -jar clt.jar
      -rest ${REST}
      -token ${TOKEN} status
      -scanid ${SCAN_UUID} | grep COMPLETE;
      do echo "Waiting for the COMPLETE status..."; sleep 10; done
    - echo "Scan successfully finished!"

.report_template:
  stage: sast:stage:3
  when: manual
  script:
    - >-
      java -jar clt.jar
      -rest ${REST}
      -token ${TOKEN} export
      -project ${PROJECT_UUID}
      -scans ${SCAN_UUID}
      -path .
      -general.format ${REPORT_TYPE}
      -general.locale ${LANG}
  artifacts:
    name: "${CI_JOB_NAME}-${CI_PIPELINE_ID}"
    paths:
      - ${REPORT_PATH}

derscanner:pdf_ru_report:
  extends: .report_template
  variables:
    REPORT_TYPE: "PDF"
    REPORT_PATH: "*.pdf"
    LANG: "ru"

derscanner:pdf_en_report:
  extends: .report_template
  variables:
    REPORT_TYPE: "PDF"
    REPORT_PATH: "*.pdf"
    LANG: "en"

derscanner:csv_ru_report:
  extends: .report_template
  variables:
    REPORT_TYPE: "CSV"
    REPORT_PATH: "*.zip"
    LANG: "ru"

derscanner:csv_en_report:
  extends: .report_template
  variables:
    REPORT_TYPE: "CSV"
    REPORT_PATH: "*.zip"
    LANG: "en"

derscanner:check_rate_scan:
  stage: sast:stage:4
  script:
    - >-
      SCORE=$(
      java -jar clt.jar
      -rest ${REST}
      -token ${TOKEN} score
      -scanid ${SCAN_UUID} | grep -oE 'Score:.*' | cut -d' ' -f2)
    - >-
      if awk "BEGIN {exit (${SCORE} >= ${MIN_RATING})}";
      then echo "Your rate is less than necessary ${MIN_RATING}!"; exit 1;
      else echo "You've passed the check!";
      fi

deploy:env:
  stage: deploy
  dependencies: []
  script:
    - echo "You can safely deploy the application"