From 69e9d097db1f98aff3d37818c89f44978718d87b Mon Sep 17 00:00:00 2001
From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Mon, 30 Aug 2021 10:00:08 +0200
Subject: [PATCH] ci WIP: trying SAST (some static analyzers)

---
 .gitlab-ci.yml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 4538c6acc..886e16038 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -17,6 +17,8 @@ variables:
   PREFIX: $CI_PROJECT_DIR/.local
   GIT_COMMITER_NAME: 'ci'
   EMAIL: 'ci@nic'
+  SAST_DISABLED: 1 # we call the jobs differently, enable them individually, etc.
+  SAST_EXCLUDED_PATHS: "bench, tests, **/test_*"
 
 image: $CI_REGISTRY/knot/knot-resolver/ci/debian-11:knot-$KNOT_VERSION
 
@@ -29,6 +31,7 @@ stages:
   - pkgtest
 
 .common: &common
+  when: manual #FIXME: TMP
   except:
     refs:
       - master@knot/knot-resolver
@@ -41,6 +44,31 @@ stages:
     - linux
     - amd64
 
+# https://gitlab.nic.cz/help/user/application_security/sast/index#configure-sast-manually
+include:
+  - template: Security/SAST.gitlab-ci.yml
+.sast-common: &sast-common
+  extends: .sast-analyzer
+  stage: sanity
+  image:
+    name: "$SAST_ANALYZER_IMAGE"
+  rules:
+    - if: $SAST_ANALYZER_IMAGE # Empty if broke the CI?
+      when: always
+  # wait for build, no artifacts are needed
+  needs: [ build ]
+  dependencies:
+sast:flawfinder:
+  extends: .sast-common
+  variables:
+    SAST_ANALYZER_IMAGE_TAG: 2
+    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
+sast:semgrep:
+  extends: .sast-common
+  variables:
+    SAST_ANALYZER_IMAGE_TAG: 2
+    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG"
+
 .after_build: &after_build
   <<: *common
   needs:
-- 
2.47.2