.gitlab-ci.yml

---
# Pipeline template

### Variables used throughout the pipeline

variables:
  # Tool-specific: Image versions
  DIVE_VERSION: v0.11
  DOCKLE_VERSION: v0.4.13
  HADOLINT_VERSION: v2.12.0-debian
  TOOLS_VERSION: 1.8.0
  DEPENDENCY_VERSION: 9.0.8

  # Tool-specific: The directory where configuration files can be found
  CONFIGURATION: automated_security_tests

  # Generic information
  DOCKER_DRIVER: overlay2
  IMAGE_NAMESPACE: gofwd
  IMAGE_REPOSITORY: ${IMAGE_NAMESPACE}/analyze_hosts
  IMAGE_TAG: ${CI_COMMIT_SHORT_SHA}
  IMAGE_TAR: ${IMAGE_TAG}.tar
  JOB_FINGERPRINT: $CI_COMMIT_SHORT_SHA-$CI_PIPELINE_ID
  # By default, the repository will not be used; artifacts will
  GIT_STRATEGY: none

### Include several jobs

include:
  # .pre
  - .gitlab/detect-secrets.gitlab-ci.yml
  # sast
  - .gitlab/hadolint.gitlab-ci.yml
  # sast
  - .gitlab/sonarqube.gitlab-ci.yml
  # build
  - .gitlab/docker-build.gitlab-ci.yml
  # security
  - .gitlab/dependency-check.gitlab-ci.yml
  # security
  - .gitlab/dependency-track.gitlab-ci.yml
  # security
  - .gitlab/dive.gitlab-ci.yml
  # security
  - .gitlab/dockle.gitlab-ci.yml
  # security
  - .gitlab/grype.gitlab-ci.yml
  # test
  - .gitlab/test.gitlab-ci.yml

### Pipeline stages

stages:
  # Security checks over source code, can be performed parallel to building
  - sast
  # Build the artifact
  - build
  # (Dynamic) security checks using / over build artifact
  - security
  # Test the artifact
  - test

### Jobs

# All jobs that start with a dot are templates and can be extended
# This facilitates directed acyclic graph pipelines
# The needs keyword requires a job name

.sast:
  stage: sast
  needs:
    - detect-secrets

.build:
  stage: build
  needs:
    - detect-secrets

.dast:
  stage: dast
  needs:
    - build

.security:
  stage: security
  needs:
    - build

.test:
  stage: test
  needs:
    - build