From ac117c8c2cf05ef11a9f28724292a9107a7f74d6 Mon Sep 17 00:00:00 2001
From: Saheer Babu <saheer.babu@arm.com>
Date: Mon, 24 Oct 2022 16:22:29 +0000
Subject: [PATCH] Configure SAST in `.gitlab-ci.yml`, creating this file if it
 does not already exist

---
 .gitlab-ci.yml | 51 ++++++++++++++++++++++++++------------------------
 1 file changed, 27 insertions(+), 24 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 925707e..979d189 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,39 +1,42 @@
-# Copyright (c) 2021 Arm Limited and Contributors. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
+# You can override the included template(s) by including variable overrides
+# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
+# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
+# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
+# Note that environment variables can be set in several places
+# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
 include:
-  - project: '${OPEN_IOT_SDK_BASE_GROUP}/tools/developer-tools'
-    ref: 2dca7c7467676667e6fd69b1e0a6840b81a9a7b7
-    file:
-      - '/templates/pipeline-baseline-sdk.yml'
-      - '/templates/sync-public/pipeline-sync-public.yml'
-
+- project: "${OPEN_IOT_SDK_BASE_GROUP}/tools/developer-tools"
+  ref: 2dca7c7467676667e6fd69b1e0a6840b81a9a7b7
+  file:
+  - "/templates/pipeline-baseline-sdk.yml"
+  - "/templates/sync-public/pipeline-sync-public.yml"
+- template: Security/SAST.gitlab-ci.yml
 variables:
-  GIT_CLONE_PATH: /builds/workspace
-
+  GIT_CLONE_PATH: "/builds/workspace"
 workflow:
   rules:
-    - if: $CI_MERGE_REQUEST_ID
-    - if: $CI_COMMIT_REF_NAME =~ /^release-.*/
-    - if: $CI_PIPELINE_SOURCE == "web"
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-
+  - if: "$CI_MERGE_REQUEST_ID"
+  - if: "$CI_COMMIT_REF_NAME =~ /^release-.*/"
+  - if: $CI_PIPELINE_SOURCE == "web"
+  - if: "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
 stages:
-  - quality_check
-  - build
-
+- quality_check
+- build
+- test
 build gcc10:
   stage: build
   trigger:
-    include: .gitlab/ci/pipeline/build-gcc.yml
+    include: ".gitlab/ci/pipeline/build-gcc.yml"
     strategy: depend
-
 build armc6:
   stage: build
   trigger:
-    include: .gitlab/ci/pipeline/build-armclang.yml
+    include: ".gitlab/ci/pipeline/build-armclang.yml"
     strategy: depend
-
 mirror:
-  extends: .sync-public
+  extends: ".sync-public"
   variables:
-    SYNC_DESTINATION : 'https://${GITLAB_USER_ID}:${PUBLIC_SDK_TOKEN}@git.gitlab.arm.com/iot/open-iot-sdk/examples/${CI_PROJECT_NAME}.git'
+    SYNC_DESTINATION: https://${GITLAB_USER_ID}:${PUBLIC_SDK_TOKEN}@git.gitlab.arm.com/iot/open-iot-sdk/examples/${CI_PROJECT_NAME}.git
+sast:
+  stage: test
-- 
GitLab