.gitlab-ci.yml

variables:
  SCAN_PATH: $SCAN_PATH
  SCAN_ARGS: $SCAN_ARGS

stages:
  - test
  - scan

# Runs owasp dep check
owasp_depcheck:
  stage: scan

# Runs Fortify and convert fpr to json file.  If this is running on the default branch 
# (see settings in gitlab to verify which branch is set to default), it will upload the
# json file to the gitlab security dashboard
fortify_scanning:
  stage: test
  rules:
    - if: $SKIP_FORTIFY != 'true'

include:
# new owasp depcheck
- component: ${CI_SERVER_HOST}/CORE/catalog/security/owasp_depcheck@main

# the new way of importing fortify.  note, this version will convert the fpr file
# to a json readable file for gitlab security dashboard
- component: ${CI_SERVER_HOST}/CORE/catalog/security/fortify_scanning@main

# exporting a vulnerability report - doesnt look like it's ready yet
- component: ${CI_SERVER_HOST}/CORE/catalog/security/vulnerability_report@main
  inputs:
     # private_token should be provided as a masked/protected project or group variable
     private_token: ${PRIVATE_TOKEN}

# Read about the latest core utilities here: https://gitlab.gs.mil/CORE/catalog

# Old threadfix format
# - project: 'DSO-Millennium-Falcon/gitlab-ci-templates/scanning-templates'
#   ref: master
#   file: '/fortify-scanning.yml'

# Old depcheck format
# - project: 'DSO-Millennium-Falcon/gitlab-ci-templates/scanning-templates'
#   ref: master
#   file: '/owasp-depcheck.gitlab-ci.yml'