Versions Compared

Version Old Version 17 New Version 18
Changes made by

Victor Wang

Victor Wang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
stages:
  - security-scan

datatheorem-sast-scan-branch-job:
  only:
    - main  # Trigger on default branch push, replace 'main' with the name of your default branch
  tags:
    - gitlab-runner-docker # Needs to be an executor compatible with the`image` feature
  stage: security-scan
  image: us-central1-docker.pkg.dev/prod-scandal-us/datatheorem-sast/datatheorem-sast:latest
  script:
    - export DT_SAST_API_KEY=$DT_SAST_API_KEY
    - export DT_SAST_REPOSITORY_NAME=$CI_PROJECT_PATH
    - export DT_SAST_REPOSITORY_PLATFORM="GITLAB_ON_PREM"
    - export DT_SAST_REPOSITORY_ID=$CI_PROJECT_ID
    - export DT_SAST_REPOSITORY_HTML_URL=$CI_PROJECT_URL
    - export DT_SAST_REPOSITORY_DEFAULT_BRANCH_NAME=$CI_DEFAULT_BRANCH
    - export DT_SAST_SCAN_HEAD_REF=$CI_COMMIT_REF_NAME
    - data_theorem_sast_analyzer scan ./

datatheorem-sast-scan-merge-request-job:
  only:
    - merge_requests
  tags:
    - gitlab-runner-docker # Needs to be an executor compatible with the`image` feature
  stage: security-scan
  image: us-central1-docker.pkg.dev/prod-scandal-us/datatheorem-sast/datatheorem-sast:latest
  script:
    - export DT_SAST_API_KEY=$DT_SAST_API_KEY
    - export DT_SAST_REPOSITORY_NAME=$CI_PROJECT_PATH
    - export DT_SAST_REPOSITORY_PLATFORM="GITLAB_ON_PREM"
    - export DT_SAST_REPOSITORY_ID=$CI_PROJECT_ID
    - export DT_SAST_REPOSITORY_HTML_URL=$CI_PROJECT_URL
    - export DT_SAST_REPOSITORY_DEFAULT_BRANCH_NAME=$CI_DEFAULT_BRANCH
    - export DT_SAST_SCAN_TARGET_REF=$CI_MERGE_REQUEST_TARGET_BRANCH_NAME
    - data_theorem_sast_analyzer scan ./
Code Block
Troubleshooting
SSL Errors
If the scanner if failing because of SSL errors, it may be because you are running the scanner behind a proxy that is making SSL verification fail.
...
  • Since the Data Theorem SAST scanner is running inside a Docker container, which may you have the certificates that can make valid calls for your proxy, we can mount the host machine’s SSL certificates directory in the Docker container and add a parameter to let the scanner know where to look for SSL certificates.
    This can be done like this:
     Code Block
    export DT_SAST_API_KEY=<YOUR API KEY>
export DT_SAST_REPOSITORY_NAME="<my_org>/<my_repo>"
docker run -it \
 -e DT_SAST_API_KEY=$DT_SAST_API_KEY -e DT_SAST_REPOSITORY_NAME=$DT_SAST_REPOSITORY_NAME  -e DT_SAST_NO_FORWARD_MODE=true -e DT_SAST_PATH_TO_SSL_CERTS_FILE=/etc/ssl/certs/ \
 --mount type=bind,source="$(pwd)"/,target=/target \
 --mount type=bind,source="/etc/ssl/certs/",target=/etc/ssl/certs/ \
 us-central1-docker.pkg.dev/prod-scandal-us/datatheorem-sast/datatheorem-sast:latest data_theorem_sast_analyzer scan /target
  • If this is not working, please contact support@datatheorem.com for help