diff --git a/ee/spec/lib/gitlab/ci/templates/sast_latest_gitlab_ci_yaml_spec.rb b/ee/spec/lib/gitlab/ci/templates/sast_latest_gitlab_ci_yaml_spec.rb
index 6f3a54daf5a53dc87296427bd78b1017d1a5ca34..6383ee0d7f8c4489a0714f6428bd0f565d1ff667 100644
--- a/ee/spec/lib/gitlab/ci/templates/sast_latest_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/sast_latest_gitlab_ci_yaml_spec.rb
@@ -28,7 +28,9 @@
end
context 'when project has no license' do
- context 'when SAST_DISABLED=1' do
+ let(:files) { { 'a.rb' => '' } }
+
+ context 'when SAST_DISABLED="1"' do
before do
create(:ci_variable, project: project, key: 'SAST_DISABLED', value: '1')
end
@@ -40,6 +42,28 @@
end
end
+ context 'when SAST_DISABLED="true"' do
+ before do
+ create(:ci_variable, project: project, key: 'SAST_DISABLED', value: 'true')
+ end
+
+ it 'includes no jobs' do
+ expect(build_names).to be_empty
+ expect(pipeline.errors.full_messages).to match_array(['Pipeline will not run for the selected trigger. ' \
+ 'The rules configuration prevented any jobs from being added to the pipeline.'])
+ end
+ end
+
+ context 'when SAST_DISABLED="false"' do
+ before do
+ create(:ci_variable, project: project, key: 'SAST_DISABLED', value: 'false')
+ end
+
+ it 'includes jobs' do
+ expect(build_names).not_to be_empty
+ end
+ end
+
context 'when SAST_EXPERIMENTAL_FEATURES is disabled for iOS projects' do
let(:files) { { 'a.xcodeproj/x.pbxproj' => '' } }
diff --git a/ee/spec/lib/gitlab/ci/templates/secret_detection_latest_gitlab_ci_yaml_spec.rb b/ee/spec/lib/gitlab/ci/templates/secret_detection_latest_gitlab_ci_yaml_spec.rb
index d8857061068c34b53b8867f0ad907d3cefe3c4a7..f23295aef7c0427b61736a6da4f54aa3b747e848 100644
--- a/ee/spec/lib/gitlab/ci/templates/secret_detection_latest_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/secret_detection_latest_gitlab_ci_yaml_spec.rb
@@ -28,7 +28,7 @@
end
context 'when project has no license' do
- context 'when SECRET_DETECTION_DISABLED=1' do
+ context 'when SECRET_DETECTION_DISABLED="1"' do
before do
create(:ci_variable, project: project, key: 'SECRET_DETECTION_DISABLED', value: '1')
end
@@ -40,6 +40,28 @@
end
end
+ context 'when SECRET_DETECTION_DISABLED="true"' do
+ before do
+ create(:ci_variable, project: project, key: 'SECRET_DETECTION_DISABLED', value: 'true')
+ end
+
+ it 'includes no jobs' do
+ expect(build_names).to be_empty
+ expect(pipeline.errors.full_messages).to match_array(['Pipeline will not run for the selected trigger. ' \
+ 'The rules configuration prevented any jobs from being added to the pipeline.'])
+ end
+ end
+
+ context 'when SECRET_DETECTION_DISABLED="false"' do
+ before do
+ create(:ci_variable, project: project, key: 'SECRET_DETECTION_DISABLED', value: 'false')
+ end
+
+ it 'includes jobs' do
+ expect(build_names).not_to be_empty
+ end
+ end
+
context 'when branch pipeline' do
it 'creates a pipeline with the expected jobs' do
expect(pipeline.errors.full_messages).to be_empty
diff --git a/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
index 77048037915ffcd4ef437f167010a77c683a0dc3..b4bff9d96671230c73c5de8ec8fd2b1e51a16637 100644
--- a/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml
@@ -34,7 +34,7 @@ kics-iac-sast:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kics:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
rules:
- - if: $SAST_DISABLED
+ - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /kics/
when: never
diff --git a/lib/gitlab/ci/templates/Jobs/SAST.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/SAST.latest.gitlab-ci.yml
index 1c4dbe6cd0f786659c6d3f7f011bf5b4609af565..e7c8356662b9a68bd5ff48a46cacd1f42b88731f 100644
--- a/lib/gitlab/ci/templates/Jobs/SAST.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST.latest.gitlab-ci.yml
@@ -51,7 +51,7 @@ brakeman-sast:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
rules:
- - if: $SAST_DISABLED
+ - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /brakeman/
when: never
@@ -83,7 +83,7 @@ flawfinder-sast:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
rules:
- - if: $SAST_DISABLED
+ - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /flawfinder/
when: never
@@ -123,7 +123,7 @@ kubesec-sast:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
rules:
- - if: $SAST_DISABLED
+ - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /kubesec/
when: never
@@ -147,7 +147,7 @@ kubesec-sast:
mobsf-android-sast:
extends: .mobsf-sast
rules:
- - if: $SAST_DISABLED
+ - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/
when: never
@@ -169,7 +169,7 @@ mobsf-android-sast:
mobsf-ios-sast:
extends: .mobsf-sast
rules:
- - if: $SAST_DISABLED
+ - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /mobsf/
when: never
@@ -196,7 +196,7 @@ nodejs-scan-sast:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
rules:
- - if: $SAST_DISABLED
+ - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/
when: never
@@ -217,7 +217,7 @@ phpcs-security-audit-sast:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
rules:
- - if: $SAST_DISABLED
+ - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /phpcs-security-audit/
when: never
@@ -238,7 +238,7 @@ pmd-apex-sast:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
rules:
- - if: $SAST_DISABLED
+ - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /pmd-apex/
when: never
@@ -259,7 +259,7 @@ security-code-scan-sast:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
rules:
- - if: $SAST_DISABLED
+ - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /security-code-scan/
when: never
@@ -283,7 +283,7 @@ semgrep-sast:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
rules:
- - if: $SAST_DISABLED
+ - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/
when: never
@@ -326,7 +326,7 @@ sobelow-sast:
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
rules:
- - if: $SAST_DISABLED
+ - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
when: never
- if: $SAST_EXCLUDED_ANALYZERS =~ /sobelow/
when: never
@@ -353,7 +353,7 @@ spotbugs-sast:
exists:
- '**/AndroidManifest.xml'
when: never
- - if: $SAST_DISABLED
+ - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # Add the job to merge request pipelines if there's an open merge request.
exists:
diff --git a/lib/gitlab/ci/templates/Jobs/Secret-Detection.latest.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/Secret-Detection.latest.gitlab-ci.yml
index 6603ee4268ecbfe6fec6c1bb15d9c56f043b8675..f343dfaa28ff96f213c6bdd58cf9d6c422641582 100644
--- a/lib/gitlab/ci/templates/Jobs/Secret-Detection.latest.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/Secret-Detection.latest.gitlab-ci.yml
@@ -27,7 +27,7 @@ variables:
secret_detection:
extends: .secret-analyzer
rules:
- - if: $SECRET_DETECTION_DISABLED
+ - if: $SECRET_DETECTION_DISABLED == 'true' || $SECRET_DETECTION_DISABLED == '1'
when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # Add the job to merge request pipelines if there's an open merge request.
- if: $CI_OPEN_MERGE_REQUESTS # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
diff --git a/spec/lib/gitlab/ci/templates/Jobs/sast_iac_latest_gitlab_ci_yaml_spec.rb b/spec/lib/gitlab/ci/templates/Jobs/sast_iac_latest_gitlab_ci_yaml_spec.rb
index 039a6a739dd5d2a7b1be973a8ba0003f3c1d925f..2b9213ea921494f4ee2beda1991913ffa0ece6f2 100644
--- a/spec/lib/gitlab/ci/templates/Jobs/sast_iac_latest_gitlab_ci_yaml_spec.rb
+++ b/spec/lib/gitlab/ci/templates/Jobs/sast_iac_latest_gitlab_ci_yaml_spec.rb
@@ -23,27 +23,33 @@
allow(project).to receive(:default_branch).and_return(default_branch)
end
- context 'on feature branch' do
- let(:pipeline_ref) { 'feature' }
+ context 'when SAST_DISABLED="false"' do
+ before do
+ create(:ci_variable, key: 'SAST_DISABLED', value: 'false', project: project)
+ end
+
+ context 'on feature branch' do
+ let(:pipeline_ref) { 'feature' }
- it 'creates the kics-iac-sast job' do
- expect(build_names).to contain_exactly('kics-iac-sast')
+ it 'creates the kics-iac-sast job' do
+ expect(build_names).to contain_exactly('kics-iac-sast')
+ end
end
- end
- context 'on merge request' do
- let(:service) { MergeRequests::CreatePipelineService.new(project: project, current_user: user) }
- let(:merge_request) { create(:merge_request, :simple, source_project: project) }
- let(:pipeline) { service.execute(merge_request).payload }
+ context 'on merge request' do
+ let(:service) { MergeRequests::CreatePipelineService.new(project: project, current_user: user) }
+ let(:merge_request) { create(:merge_request, :simple, source_project: project) }
+ let(:pipeline) { service.execute(merge_request).payload }
- it 'creates a pipeline with the expected jobs' do
- expect(pipeline).to be_merge_request_event
- expect(pipeline.errors.full_messages).to be_empty
- expect(build_names).to match_array(%w(kics-iac-sast))
+ it 'creates a pipeline with the expected jobs' do
+ expect(pipeline).to be_merge_request_event
+ expect(pipeline.errors.full_messages).to be_empty
+ expect(build_names).to match_array(%w(kics-iac-sast))
+ end
end
end
- context 'SAST_DISABLED is set' do
+ context 'when SAST_DISABLED="true"' do
before do
create(:ci_variable, key: 'SAST_DISABLED', value: 'true', project: project)
end