-
Notifications
You must be signed in to change notification settings - Fork 19
Expand file tree
/
Copy pathadvanced\.gitlab-ci.yml
More file actions
140 lines (128 loc) · 3.68 KB
/
advanced\.gitlab-ci.yml
File metadata and controls
140 lines (128 loc) · 3.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# ============================================================
# EXAMPLE — Advanced isnad-scan integration
# ============================================================
# Demonstrates:
# • Scanning multiple targets (repo + external package)
# • Custom trust-score threshold
# • JSON report for downstream processing
# • Quality gate blocking merges
# • Scheduled nightly deep scan
# • Custom runner tags
# ============================================================
include:
- project: 'counterspec/isnad'
file: 'templates/isnad-scan.gitlab-ci.yml'
ref: main
variables:
# Raise the trust bar for production-bound code
ISNAD_SCAN_MIN_TRUST_SCORE: "85"
stages:
- build
- scan
- gate
- deploy
# ── Override the default scan job with project-specific settings ──
isnad:scan:
stage: scan
variables:
ISNAD_TARGET: "."
ISNAD_FORMAT: "sarif"
ISNAD_MIN_TRUST: "85"
ISNAD_FAIL_ON: "high"
# Suppress known-false-positive rules
ISNAD_SKIP_RULES: "ISNAD-001,ISNAD-007"
rules:
- when: always
# ── Scan a third-party PyPI package before adding it ────────────
isnad:scan:dependency:
extends: isnad:scan
stage: scan
variables:
ISNAD_TARGET: "pypi:some-new-dependency"
ISNAD_FORMAT: "json"
ISNAD_MIN_TRUST: "90"
ISNAD_FAIL_ON: "medium"
ISNAD_REPORT_DIR: "isnad-reports/dependency"
artifacts:
paths:
- isnad-reports/dependency/
expire_in: 7 days
when: always
rules:
- if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
when: always
- when: never
# ── Quality gate: block merge if trust score insufficient ────────
isnad:gate:
image: python:3.11-slim
stage: gate
needs:
- job: isnad:scan
artifacts: true
script:
- pip install --quiet jq python-json-tool
- |
REPORT="isnad-reports/isnad-report.json"
if [ ! -f "$REPORT" ]; then
echo "[isnad:gate] No JSON report found — skipping numeric gate."
exit 0
fi
SCORE=$(python3 -c "
import json, sys
data = json.load(open('$REPORT'))
print(data.get('summary', {}).get('trustScore', 0))
")
echo "[isnad:gate] Trust score: ${SCORE} (required: 85)"
python3 -c "
score = float('${SCORE}')
threshold = 85.0
if score < threshold:
print(f'❌ GATE FAILED — score {score} < {threshold}')
raise SystemExit(1)
print(f'✅ GATE PASSED — score {score} >= {threshold}')
"
rules:
- if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
when: on_success
- when: never
allow_failure: false
# ── Nightly deep scan (schedule-triggered) ──────────────────────
isnad:nightly:
extends: isnad:scan
stage: scan
variables:
ISNAD_TARGET: "."
ISNAD_FORMAT: "json"
ISNAD_MIN_TRUST: "75"
ISNAD_FAIL_ON: "critical"
# Enable deep scan mode for nightly runs
ISNAD_EXTRA_ARGS: "--deep --include-dev-dependencies"
rules:
- if: '$CI_PIPELINE_SOURCE == "schedule"'
when: always
- when: never
artifacts:
paths:
- isnad-reports/
expire_in: 90 days
when: always
# ── Example build / deploy stubs ────────────────────────────────
build:
stage: build
image: node:20-slim
script:
- echo "Building project..."
rules:
- when: always
deploy:production:
stage: deploy
image: alpine:latest
script:
- echo "Deploying to production..."
needs:
- build
- isnad:scan
- isnad:gate
rules:
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
when: manual