gitlab-ci.example.yaml

stages:
  - security-scan

variables:
  # Configure these in GitLab CI/CD Variables:
  # DEP_CONTROL_URL: "https://your-dependency-control-instance.com"
  # SCANNER_SHA256: Get hash from $DEP_CONTROL_URL/api/v1/scripts/scanner.sh/hash
  SCANNER_VERSION: "1.0.0"

.dep-control-base:
  stage: security-scan
  variables:
    GIT_DEPTH: 0
  id_tokens:
    DEP_CONTROL_TOKEN:
      aud: dependency-control
  before_script: &install-deps
    - apt-get update -qq && apt-get install -y -qq curl jq coreutils

.download-scanner: &download-scanner |
  curl -sSL "$DEP_CONTROL_URL/api/v1/scripts/scanner.sh?v=$SCANNER_VERSION" -o scanner.sh
  echo "$SCANNER_SHA256  scanner.sh" | sha256sum -c -
  chmod +x scanner.sh

sbom-scan:
  extends: .dep-control-base
  image: debian:bookworm-slim
  script:
    - *download-scanner
    - ./scanner.sh sbom

secret-scan:
  extends: .dep-control-base
  image: debian:bookworm-slim
  before_script:
    - apt-get update -qq && apt-get install -y -qq curl jq coreutils git
  script:
    - *download-scanner
    - ./scanner.sh secrets

sast-scan:
  extends: .dep-control-base
  image: returntocorp/semgrep
  script:
    - *download-scanner
    - ./scanner.sh sast

iac-scan:
  extends: .dep-control-base
  image:
    name: checkmarx/kics:debian
    entrypoint: [""]
  script:
    - *download-scanner
    - ./scanner.sh iac

bearer-scan:
  extends: .dep-control-base
  image: debian:bookworm-slim
  before_script:
    - apt-get update -qq && apt-get install -y -qq curl jq coreutils git
  script:
    - *download-scanner
    - ./scanner.sh bearer

callgraph-upload:
  extends: .dep-control-base
  image: node:20-bookworm
  before_script:
    - apt-get update -qq && apt-get install -y -qq curl jq coreutils python3 python3-pip
  script:
    - *download-scanner
    - ./scanner.sh callgraph
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - when: manual
  allow_failure: true