Security scans (demisto#25915)

yucohen · xsoar-bot · commit 613bbcd38f05 · 2023-10-05T11:32:49.000Z
* added as a new build flow

* reverted gitlab

* changed ref to master
diff --git a/.gitlab/ci/.gitlab-ci.on-push.yml b/.gitlab/ci/.gitlab-ci.on-push.yml
@@ -69,6 +69,8 @@ run-unittests-and-lint:
   rules:
     - if: '$BUCKET_UPLOAD == "true"'
       when: never
+    - if: '$SECURITY_SCANS == "true"'
+      when: never
     - if: '$FORCE_BUCKET_UPLOAD == "true"'
       when: never
     - if: '$DEMISTO_TEST_NATIVE_CANDIDATE == "true"'
diff --git a/.gitlab/ci/.gitlab-ci.security-scans.yml b/.gitlab/ci/.gitlab-ci.security-scans.yml
@@ -0,0 +1,48 @@
+.auto-secure-cicd-rule:
+  rules:
+    - if: '$SECURITY_SCANS == "true"'
+
+.auto-secure-cicd-rule-always:
+  rules:
+    - if: '$SECURITY_SCANS == "true"'
+      when: always
+
+stages:
+  - security
+
+auto secure cicd:
+  stage: security
+  variables:
+    PYTHONPATH: "/root/prodsec_tools/"
+  trigger:
+    include:
+      - file: "/.gitlab/ci/security-scans.yml"
+        ref: master
+        project: "xsoar/infra"
+    strategy: depend
+  extends:
+    .auto-secure-cicd-rule
+
+fan-in-security-scans:
+  tags:
+    - gke
+  stage: fan-in
+  extends:
+    - .auto-secure-cicd-rule-always
+  script:
+    - echo "fan in"
+
+
+slack-notify-security-scans:
+  variables:
+    PIPELINE_TO_QUERY: $CI_PIPELINE_ID
+    WORKFLOW: 'Security Scans'
+    JOB_NAME: 'fan-in-security-scans'
+    # Passes the environment variable from the parent pipeline to the child which can be useful for cases
+    # when triggering pipeline with alternate env variable value passed in the API call
+    SLACK_CHANNEL: $SLACK_CHANNEL
+    SLACK_JOB: 'true'
+  extends:
+    - .trigger-slack-notification
+    - .auto-secure-cicd-rule-always
+
diff --git a/.gitlab/ci/.gitlab-ci.yml b/.gitlab/ci/.gitlab-ci.yml
@@ -9,6 +9,7 @@ default:
     when: always
 
 stages:
+  - security
   - unittests-and-validations
   - prepare-testing-bucket
   - run-instances
@@ -68,3 +69,4 @@ include:
   - local: .gitlab/ci/.gitlab-ci.sdk-nightly.yml
   - local: .gitlab/ci/.gitlab-ci.miscellaneous.yml
   - local: .gitlab/ci/.gitlab-ci.test-native-candidate.yml
+  - local: .gitlab/ci/.gitlab-ci.security-scans.yml
diff --git a/Tests/scripts/gitlab_slack_notifier.py b/Tests/scripts/gitlab_slack_notifier.py
@@ -26,7 +26,8 @@
 SDK_NIGHTLY = 'Demisto SDK Nightly'
 PRIVATE_NIGHTLY = 'Private Nightly'
 TEST_NATIVE_CANDIDATE = 'Test Native Candidate'
-WORKFLOW_TYPES = {CONTENT_NIGHTLY, SDK_NIGHTLY, BUCKET_UPLOAD, PRIVATE_NIGHTLY, TEST_NATIVE_CANDIDATE}
+SECURITY_SCANS = 'Security Scans'
+WORKFLOW_TYPES = {CONTENT_NIGHTLY, SDK_NIGHTLY, BUCKET_UPLOAD, PRIVATE_NIGHTLY, TEST_NATIVE_CANDIDATE, SECURITY_SCANS}
 SLACK_USERNAME = 'Content GitlabCI'
 
 
