From 10ad61fb5008e8d366781750fc74c349351989b1 Mon Sep 17 00:00:00 2001
From: Lyle Hanson <lyle.hanson@wisc.edu>
Date: Tue, 11 Oct 2022 10:43:34 -0400
Subject: [PATCH] Add security scanning jobs

---
 .gitlab-ci.yml | 41 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 38 insertions(+), 3 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3f02397..ac2a345 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,5 +1,11 @@
 image: maven:3-amazoncorretto-8
 
+include:
+  # Security scanning
+  - template: Security/SAST.gitlab-ci.yml
+  - template: Security/Secret-Detection.gitlab-ci.yml
+  - template: Security/Dependency-Scanning.gitlab-ci.yml
+
 variables:
   # This will suppress any download for dependencies and plugins or upload messages which would clutter the console log.
   # `showDateTime` will show the passed time in milliseconds. You need to specify `--batch-mode` to make this work.
@@ -20,10 +26,39 @@ default:
     - aws
     - docker
 
-test:
-  stage: test
+stages:
+  - build
+  - test
+  - deploy
+
+build_jar:
+  stage: build
   script:
-    - mvn clean $MAVEN_CLI_OPTS verify
+    - mvn $MAVEN_CLI_OPTS clean verify
+  artifacts:
+    paths:
+      - target
+    reports:
+      dotenv: vars.env
+
+# Security scanning jobs
+secret_detection:
+  needs: []
+
+semgrep-sast:
+  needs: []
+
+gemnasium-maven-dependency_scanning:
+  variables:
+    DS_JAVA_VERSION: 8
+
+spotbugs-sast:
+  needs:
+    - build_jar
+  variables:
+    SAST_JAVA_VERSION: 8
+    MAVEN_REPO_PATH: $CI_PROJECT_DIR/.m2/repository
+    COMPILE: "false"
 
 deploy:
   stage: deploy
-- 
GitLab