OtherGitLab ComponentsCode Risk Identification

Code Risk Identification

This workflow identifies potential security vulnerabilities in your codebase. It requires a sarif file as input to analyze and ensure that all code is secure and up to date.

The code-risk-identification accepts the following inputs:

NameDescriptionRequiredDefault Value
api_urlThe DevGuard API URLNohttps://api.main.devguard.org
asset_nameName of the asset to scanYes
tokenAPI token for authenticating with DevGuardYes
scan_stageThe stage where the scan is runNotest
runner_tagsThe runner tags used to select appropriate CI runners.No""
sarif_fileThe SBOM file to use for the scanNotest
needsThe jobs that this job depends onNo""
dependenciesSpecifies the jobs whose artifacts this job relies onNo""

Usage Examples:

if you have the sarif in the repository:

include:
  - remote: "https://gitlab.com/l3montree/devguard/-/raw/main/templates/code-risk-identification@main"
      asset_name: "myOrgnaization/projects/myProject/assets/myAsset"
      token: "$DEVGUARD_TOKEN"
      sarif-file: "./result.sarif"
 

if you have the sarif in an artifact from a previous job:

gitleaks-secret-scanning:
  stage: build
  image:
    name: ghcr.io/gitleaks/gitleaks:v8.23.2@sha256:d09cbc6b5faa03d81ef4bf430f1a9b6468d992cd30f30ad213b0c53e057fc817
    entrypoint: [""]
  dependencies: []
  needs: []
  script: gitleaks detect -b --path=$CI_PROJECT_DIR  --report-format sarif --report-path result.sarif
  artifacts:
    paths:
      - result.sarif
 
include:
  - component: $CI_SERVER_FQDN/$CI_PROJECT_PATH/code-risk-identification@$CI_COMMIT_SHA
    inputs:
      asset_name: "myOrgnaization/projects/myProject/assets/myAsset"
      token: "$DEVGUARD_TOKEN"
      sarif_file: "./result.sarif"
      needs: "gitleaks-secret-scanning"
      dependencies: "gitleaks-secret-scanning"