Commit 12772295 authored by 小 白蛋's avatar 小 白蛋
Browse files

更新.gitlab-ci.yml文件

parent 5500bb57
No related merge requests found
Pipeline #158469 passed with stages
in 5 seconds
Showing with 36 additions and 28 deletions
+36 -28
stages:
- sast
- fortify-sast-scancentral
- fortify-get-reprot
variables:
# 用于触发codesec扫描的镜像
IMAGE_PATH: "repo.gitsec.cn/docker/ssp-command:latest"
# 指定需要扫描的代码仓库
GIT_URL: "https://git.gitsec.cn/baidan/cskefu.git"
# gitlab登录账号
GIT_ACCOUNT: "baidan"
# 之前我们生成的项目token
GIT_TOKEN: "a_SzLe73mJ4MLKoqgxVY"
# git分支(版本号)指定(可以为空,默认使用master)
GIT_BRANCH: "osc"
# 指定语言(1:Java;9:JavaScript)不指定为自动识别语言
LANGUAGE: ""
# codesec登录token,需要联系相关负责人获取
CODESEC_TOKEN: "eyJhbGciOiJIUzUxMiJ9.eyJub25jZSI6ImZmYTBjYjM1LTFlZjEtNGNhNC04YTEzLTQzYjhlY2I2ZTFjMyIsInN1YiI6ImZmYTBhMTllLWM0MmMtNGE4OC05YmVmLTEwOTAyOWI3YjI3NCJ9.K5lJQ8Lg_a40VMEKUMZtPg1tTFR0f8EhTjGnmgPoAbGF061bO95wO_bllLshe1kVeXo7rwHx0zKJLsOcLbE9Yg
"
# codesec服务地址,需要联系相关负责人获取
CODESEC_ADDRESS: "https://sast.gitsec.cn"
# codesec是否需要通过https访问
CS_HTTPS_ENABLE: "true"
sast:
stage: sast
image: "$IMAGE_PATH"
build_type: mvn #mvn指代maven
fortify-sast-scancentral:
stage: fortify-sast-scancentral
image: repo.gitsec.cn/docker/fortify-ci:v2.1
script:
- /opt/seczone/codesec/ssp-command/jre/bin/java -Doperation=createGit -DgitUrl="$GIT_URL" -DgitAccount="$GIT_ACCOUNT" -DgitToken="$GIT_TOKEN" -DcsToken="$CODESEC_TOKEN" -DcsAddress="$CODESEC_ADDRESS" -DcsHttpsEnable="$CS_HTTPS_ENABLE" -Dlanguage="$LANGUAGE" -DbranchName="$GIT_BRANCH" -jar /opt/seczone/codesec/ssp-command/lib/ssp-command.jar
# 执行脚本创建项目以及填入属性
- echo $(date +%s) > time.txt
- python3 /home/script/create.py $CI_PROJECT_NAME-$CI_PROJECT_NAMESPACE-$(cat time.txt) 1 FortifyToken MjMzM2IyNzgtZDRiOS00ZTA4LWJjZjAtOTM3YzhiNTJlMDNj http://fortify.gitsec.cn
# 上传待扫描的项目
- 'scancentral -url http://fortify.gitsec.cn/scancentral-ctrl/ -ssctoken 5dd97723-c2a4-476e-9351-417e8a50beff start -bt $build_type -upload -application $CI_PROJECT_NAME-$CI_PROJECT_NAMESPACE-$(cat time.txt) -version 1 -uptoken 5dd97723-c2a4-476e-9351-417e8a50beff | tee -a report.log'
allow_failure: true
#上传到私有仓库
artifacts:
reports:
sast: gl-sast-report.json
paths:
- gl-sast-report.json
expire_in: 3 day
\ No newline at end of file
- time.txt
- report.log
expire_in: 1 day
fortify-get-reprot:
stage: fortify-get-reprot
image: repo.gitsec.cn/docker/fortify-ci:v2.1
script:
# 下载报告扫描结果
- 'tail -n 1 report.log '
- 'cp report.log /home/script'
- 'python3 /home/script/get.py '
- 'echo $CI_PROJECT_NAME-$CI_PROJECT_NAMESPACE-$(cat time.txt)'
- 'FortifyVulnerabilityExporter SSCToGitLabSAST --ssc.baseUrl=http://fortify.gitsec.cn/ssc --ssc.authToken=2333b278-d4b9-4e08-bcf0-937c8b52e03c --ssc.version.name=$CI_PROJECT_NAME-$CI_PROJECT_NAMESPACE-$(cat time.txt):1 --ssc.userName="admin"'
- 'find / -name "gl-fortify-sast.json"'
allow_failure: true
artifacts:
reports:
sast: ./gl-fortify-sast.json
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment