diff --git a/README.md b/README.md
index f9d94a86f0354daa62be6fad5c877f9d37fd9d87..d8406f75ea3e62aa0f6b66be0d4bb52c31bfbca5 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ include:
file: '/templates/gitlab-ci-gitleaks.yml'
```
-## `gitleaks` and `gitleaks-quick` jobs configuration
+## `gitleaks` jobs configuration
Those jobs trigger a Gitleaks analysis (either on the complete repository, either on the current branch).
They use the following configuration.
@@ -27,8 +27,6 @@ They use the following configuration.
| `GITLEAKS_IMAGE` | The Docker image used to run Gitleaks | `zricethezav/gitleaks:latest` |
| `GITLEAKS_RULES` | Gitleaks [configuration rules](https://github.com/zricethezav/gitleaks#configuration) to use (you may also provide your own `.gitleaks.toml` configuration file in your project). | _none_ (uses default rules) |
| `GITLEAKS_ARGS` | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a full Gitleaks analysis (on master or develop branches) | `--verbose` |
-| `GITLEAKS_QUICK_ARGS` | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a quick Gitleaks analysis (on feature branches) | `--verbose` _(audit on the current branch)_ |
-| `GITLEAKS_QUICK_DEPTH` | Number of commits to scan (on feature branches) | `10` |
### Configuring Gitleaks rules
diff --git a/templates/gitlab-ci-gitleaks.yml b/templates/gitlab-ci-gitleaks.yml
index e3810516e68c887ae8662b17ad2ea8dd15829a49..51822b4a7913a319c82925a64930bb77306e7456 100644
--- a/templates/gitlab-ci-gitleaks.yml
+++ b/templates/gitlab-ci-gitleaks.yml
@@ -13,14 +13,33 @@
# program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
# Floor, Boston, MA 02110-1301, USA.
# =========================================================================================
-# default workflow rules
+# default workflow rules: Merge Request pipelines
workflow:
rules:
- # exclude merge requests
- - if: $CI_MERGE_REQUEST_ID
+ # prevent branch pipeline when an MR is open (prefer MR pipeline)
+ - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
when: never
- when: always
+# test job prototype: implement adaptive pipeline rules
+.test-policy:
+ rules:
+ # on tag: auto & failing
+ - if: $CI_COMMIT_TAG
+ # on ADAPTIVE_PIPELINE_DISABLED: auto & failing
+ - if: '$ADAPTIVE_PIPELINE_DISABLED == "true"'
+ # on production or integration branch(es): auto & failing
+ - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
+ # early stage (dev branch, no MR): manual & non-failing
+ - if: '$CI_MERGE_REQUEST_ID == null && $CI_OPEN_MERGE_REQUESTS == null'
+ when: manual
+ allow_failure: true
+ # Draft MR: auto & non-failing
+ - if: '$CI_MERGE_REQUEST_TITLE =~ /^Draft:.*/'
+ allow_failure: true
+ # else (Ready MR): auto & failing
+ - when: on_success
+
variables:
# variabilized tracking image
TBC_TRACKING_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/tracking:master"
@@ -28,9 +47,7 @@ variables:
# Default Docker image (can be overridden)
GITLEAKS_IMAGE: "zricethezav/gitleaks:latest"
GITLEAKS_ARGS: "--verbose"
- GITLEAKS_QUICK_DEPTH: "10"
- GITLEAKS_QUICK_ARGS: "--verbose"
# default production ref name (pattern)
PROD_REF: '/^(master|main)$/'
# default integration ref name (pattern)
@@ -210,17 +227,4 @@ gitleaks:
paths:
- gitleaks/
rules:
- # on production and integration branch(es)
- - if: '$CI_COMMIT_REF_NAME =~ $INTEG_REF || $CI_COMMIT_REF_NAME =~ $PROD_REF'
-
-# quick analysis on dev branches
-gitleaks-quick:
- extends: gitleaks
- variables:
- GIT_DEPTH: "${GITLEAKS_QUICK_DEPTH}"
- script:
- - gitleaks detect ${TRACE+--log-level debug} --source . $gitleaks_rule_opts --report-path ./gitleaks/gitleaks-report.json --log-opts="-n ${GITLEAKS_QUICK_DEPTH}" $GITLEAKS_QUICK_ARGS
- rules:
- # only on non-production, non-integration branches
- - if: '$CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'
- allow_failure: true
+ - !reference [.test-policy, rules]