1variables:
2  # Setting this variable will affect all Security templates
3  # (SAST, Dependency Scanning, ...)
4  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
5  SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
6
7iac-sast:
8  stage: test
9  artifacts:
10    reports:
11      sast: gl-sast-report.json
12  rules:
13    - when: never
14  # `rules` must be overridden explicitly by each child job
15  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
16  variables:
17    SEARCH_MAX_DEPTH: 4
18  allow_failure: true
19  script:
20    - /analyzer run
21
22kics-iac-sast:
23  extends: iac-sast
24  image:
25    name: "$SAST_ANALYZER_IMAGE"
26  variables:
27    SAST_ANALYZER_IMAGE_TAG: 1
28    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG"
29  rules:
30    - if: $SAST_DISABLED
31      when: never
32    - if: $SAST_EXCLUDED_ANALYZERS =~ /kics/
33      when: never
34    - if: $CI_COMMIT_BRANCH
35