-
Notifications
You must be signed in to change notification settings - Fork 24
/
.gitlab-ci.yml
99 lines (93 loc) · 3.58 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
include:
- project: dwp/engineering/pipeline-solutions/gitlab/functions
ref: 5.4.0
file:
- functions/node.gitlab-ci.yml
- functions/auto-tag-merge.gitlab-ci.yml
variables:
NODE_IMAGE: node:22@sha256:35a5dd72bcac4bce43266408b58a02be6ff0b6098ffa6f5435aeea980a8951d7
NODE_PUBLISH_TO_GITLAB: "true"
NODE_PUBLISH_TO_NPMJS: "true"
AUTO_TAG_MERGE_PREPARE_MR: "true"
FUNCTIONS_SONARQUBE_ENABLED: "false"
node-lint-eslint:
variables:
PUPPETEER_SKIP_DOWNLOAD: "true"
image:
name: ${CI_REGISTRY}/dwp/engineering/pipeline-solutions/gitlab/fragments/eslint/v9:latest@sha256:4b18c5eaa723d6057106be76c243aa93432096e9fbd0422f2db3687f23203174
# ------------------------------------------------------------------ custom jobs
# Unit tests on other supported node versions
unit-test:
extends: .node-common
parallel:
matrix:
- node_image_version: node:18@sha256:b57ae84fe7880a23b389f8260d726b784010ed470c2ee26d4e2cbdb955d25b12
- node_image_version: node:20@sha256:f4755c9039bdeec5c736b2e0dd5b47700d6393b65688b9e9f807ec12f54a8690
stage: unit-test
image: $node_image_version
script:
- node --version
- npm --version
- !reference [.node-init, script]
- npm test
# ZAP scans
e2e-dast:
extends: .node-common
stage: security-dynamic-analysis
image: $NODE_IMAGE
tags:
- docker
needs: []
services:
# The image is broken from `owasp/zap2docker-stable:s2023-02-06` onwards,
# which conincides with when ZAP starts to build multi-platform images.
# DO NOT UPDATE THIS IMAGE UNTIL SOURCES ARE FIXED.
# - name: owasp/zap2docker-stable@sha256:072670c616a33c5a5d985a8790738de76191d4e3222e19dc19f50026b5440436
- name: ghcr.io/zaproxy/zaproxy:bare@sha256:24a4037a3e8607d9fedbd75e4a7f1336d11998e1c331aab9991ef074f5de4b22
alias: zap
entrypoint: ["zap.sh"]
command:
[
"-daemon",
"-host",
"0.0.0.0",
"-port",
"8080",
"-config",
"api.key=secret",
"-config",
"api.addrs.addr.name=.*",
"-config",
"api.addrs.addr.regex=true",
]
variables:
# ref: https://docs.gitlab.com/runner/executors/docker.html#create-a-network-for-each-job
# Required so ZAP can connect to servers being spun up in this build container
FF_NETWORK_PER_BUILD: 1
before_script:
- apt-get update
- apt-get install -y jq
script:
- !reference [.node-init, script]
- "until wget -qO- --header 'X-ZAP-Api-Key: secret' http://zap:8080/JSON/core/view/zapHomePath >/dev/null 2>&1; do echo 'Waiting for ZAP ...'; sleep 1; done"
- ./node_modules/.bin/spiderplan --worker-init ./tests/e2e/worker-init.js --language en ./tests/e2e/personas/**/traversal.yaml --workers 1 --zap --zap-proxy 'http://zap:8080/' --zap-target-hostname "$(hostname)"
- "wget -qO- --header 'X-ZAP-Api-Key: secret' http://zap:8080/OTHER/core/other/jsonreport > gl-dast-report.json"
- "wget -qO- --header 'X-ZAP-Api-Key: secret' http://zap:8080/OTHER/core/other/htmlreport > gl-dast-report.html"
- if [[ "$(jq '[.site[].alerts[].riskcode | select(. | tonumber >= 3)] | length' gl-dast-report.json)" -ne "0" ]]; then echo 'Found HIGH or CRITICAL vulnerabilities reported. Job failed.'; exit 1; fi
artifacts:
when: always
expire_in: 3 months
paths:
- gl-dast-report.html
- gl-dast-report.json
reports:
dast:
- gl-dast-report.json
# API documentation, published on GitLab Pages
pages:
stage: publish
extends: .node-common
script: npm run build:api-docs -- -d ./public/ || true
artifacts:
paths:
- public