1variables: 2 # Setting this variable will affect all Security templates 3 # (SAST, Dependency Scanning, ...) 4 SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers" 5 SAST_EXCLUDED_PATHS: "spec, test, tests, tmp" 6 7iac-sast: 8 stage: test 9 artifacts: 10 reports: 11 sast: gl-sast-report.json 12 rules: 13 - when: never 14 # `rules` must be overridden explicitly by each child job 15 # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444 16 variables: 17 SEARCH_MAX_DEPTH: 4 18 allow_failure: true 19 script: 20 - /analyzer run 21 22kics-iac-sast: 23 extends: iac-sast 24 image: 25 name: "$SAST_ANALYZER_IMAGE" 26 variables: 27 SAST_ANALYZER_IMAGE_TAG: 1 28 SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG" 29 rules: 30 - if: $SAST_DISABLED 31 when: never 32 - if: $SAST_EXCLUDED_ANALYZERS =~ /kics/ 33 when: never 34 - if: $CI_COMMIT_BRANCH 35