Pipeline Configuration
This guide provides comprehensive pipeline configurations for implementing static code analysis in modern CI/CD environments.
Multi-Platform Pipeline Templates
GitHub Actions Advanced Configuration
name: Comprehensive Static Analysis
on:
push:
branches: [main]
pull_request:
branches: [main, develop, 'release/*']
schedule:
- cron: '0 0 * * 0' # Weekly full scan
jobs:
analyze:
name: Static Analysis
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
strategy:
matrix:
language: [javascript, python, java, go]
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
# Language-specific setup
- uses: actions/setup-node@v4
if: matrix.language == 'javascript'
with:
node-version: '20'
- uses: actions/setup-python@v4
if: matrix.language == 'python'
with:
python-version: '3.11'
- uses: actions/setup-java@v3
if: matrix.language == 'java'
with:
distribution: 'temurin'
java-version: '21'
- uses: actions/setup-go@v4
if: matrix.language == 'go'
with:
go-version: '1.21'
# SAST Analysis
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
queries: security-extended,security-and-quality
# Dependency Scanning
- name: Dependency Review
uses: actions/dependency-review-action@v3
# Custom Rules
- name: Run Semgrep
uses: semgrep/semgrep-action@v1
with:
config: >-
p/ci
p/security-audit
p/owasp-top-ten
p/supply-chain
timeout: 300
# Quality Gates
- name: SonarCloud Analysis
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
args: >
-Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}
-Dsonar.organization=${{ github.repository_owner }}
-Dsonar.sources=.
-Dsonar.language=${{ matrix.language }}
# Results Processing
- name: Process Analysis Results
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{ matrix.language }}"
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarifAzure DevOps Advanced Pipeline
trigger:
branches:
include:
- main
- develop
- feature/*
paths:
exclude:
- '**/*.md'
- 'docs/*'
variables:
- group: security-scanning-variables
- name: BUILD_CONFIGURATION
value: 'Release'
stages:
- stage: StaticAnalysis
displayName: 'Static Code Analysis'
jobs:
- job: SecurityScanning
strategy:
matrix:
Linux:
vmImage: 'ubuntu-latest'
platform: 'linux'
Windows:
vmImage: 'windows-latest'
platform: 'windows'
pool:
vmImage: $(vmImage)
steps:
# Initialize Analysis
- task: SonarCloudPrepare@1
inputs:
SonarCloud: 'SonarCloud'
organization: '$(SONAR_ORGANIZATION)'
scannerMode: 'CLI'
configMode: 'manual'
cliProjectKey: '$(Build.Repository.Name)'
cliProjectName: '$(Build.Repository.Name)'
# Security Scanning
- task: SecurityAnalysis@1
inputs:
toolSelector: 'bandit,snyk,semgrep'
path: '$(Build.SourcesDirectory)'
excludePaths: '**/tests/**,**/docs/**'
# Dependency Scanning
- task: SnykSecurityScan@1
inputs:
serviceConnectionEndpoint: 'Snyk'
testType: 'app'
severityThreshold: 'high'
monitorWhen: 'always'
# Custom Rules
- task: Bash@3
inputs:
targetType: 'inline'
script: |
curl -sSfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh
./bin/gosec -fmt=sarif -out=results.sarif ./...
# Quality Gates
- task: SonarCloudAnalyze@1
- task: SonarCloudPublish@1
inputs:
pollingTimeoutSec: '300'
# Results Processing
- task: PublishSecurityAnalysisLogs@1
inputs:
ArtifactName: 'CodeAnalysisLogs'
- task: PostAnalysis@1
inputs:
AllTools: false
APIScan: false
BinSkim: false
CodesignValidation: false
CredScan: true
FortifySCA: false
FxCop: false
ModernCop: false
PoliCheck: false
RoslynAnalyzers: true
SDLNativeRules: false
Semmle: false
- stage: ComplianceCheck
displayName: 'Compliance Verification'
dependsOn: StaticAnalysis
condition: succeeded()
jobs:
- job: ComplianceVerification
steps:
- task: ComplianceVerification@1
inputs:
scanType: 'Security'
reportTypes: 'SARIF,PDF,HTML'
frameworks: 'PCI-DSS,SOC2,GDPR'Pipeline Configuration Patterns
1. Analysis Matrix Configuration
analysis_matrix:
combinations:
- language: python
tools: [bandit, pylint, mypy]
requirements: requirements.txt
- language: javascript
tools: [eslint, prettier]
requirements: package.json
- language: java
tools: [spotbugs, pmd]
requirements: pom.xml2. Quality Gates Configuration
quality_gates:
thresholds:
coverage:
minimum: 80
critical: 70
code_smells:
maximum: 100
per_file: 5
duplication:
maximum_percent: 3
complexity:
maximum_per_file: 20
maximum_per_method: 83. Security Policy Configuration
security_policy:
rules:
- id: secure-defaults
severity: CRITICAL
patterns:
- type: regex
pattern: "crypto\\.DEFAULT"
message: "Avoid using crypto defaults"
- id: secure-configs
severity: HIGH
patterns:
- type: regex
pattern: "config\\.(DEBUG|TESTING)"
message: "Production-sensitive config detected"Advanced Pipeline Features
1. Incremental Analysis
incremental_config:
enabled: true
base_branch: main
cache_key: ${CACHE_VERSION}-${BRANCH_NAME}
paths:
- src/**/*.{js,ts,py,java}
- test/**/*.{js,ts,py,java}
exclude:
- '**/generated/**'
- '**/vendor/**'2. Performance Optimization
performance:
parallel_execution:
max_concurrent: 4
timeout: 30m
caching:
enabled: true
key: ${COMMIT_SHA}
paths:
- .sonar/cache
- .gradle/caches
- node_modules
resource_limits:
cpu: 4
memory: 8Gi3. Results Management
results_config:
formats:
- sarif
- html
- json
notifications:
slack:
channel: security-alerts
conditions:
- severity: CRITICAL
threshold: 1
email:
recipients: [security-team@company.com]
conditions:
- type: new_vulnerability
severity: HIGHPipeline Integration Points
1. Source Control Integration
source_control:
hooks:
pre_commit:
- lint
- security_scan
pre_push:
- full_analysis
branch_policies:
- name: main
require:
- security_scan
- quality_gates2. Issue Tracking Integration
issue_tracking:
jira:
project: SECURITY
issue_type: Security Issue
labels: [static-analysis, security]
github:
labels: [security, needs-review]
assignees: [security-team]3. Documentation Integration
documentation:
auto_generate:
- security_reports
- compliance_reports
- trend_analysis
formats:
- markdown
- pdf
- htmlMonitoring and Metrics
1. Pipeline Metrics
metrics:
collection:
- name: analysis_duration
type: gauge
labels: [language, tool]
- name: issues_found
type: counter
labels: [severity, type]
- name: false_positives
type: counter
labels: [tool, rule_id]2. Performance Monitoring
monitoring:
dashboards:
- name: Analysis Overview
provider: grafana
refresh: 5m
panels:
- title: Analysis Duration Trend
type: graph
metric: analysis_duration
- title: Issues by Severity
type: pie
metric: issues_foundBest Practices Implementation
1. Error Handling
error_handling:
retry:
max_attempts: 3
initial_delay: 10s
max_delay: 5m
fallback:
- skip_non_critical
- notify_team
- create_incident2. Security Controls
security_controls:
authentication:
type: service_account
rotation: 90d
secrets:
storage: azure_key_vault
scope: pipeline_only
approval:
required_for:
- production_deploy
- security_override3. Compliance Requirements
compliance:
frameworks:
- standard: PCI-DSS
controls:
- 6.2 # Security Patches
- 6.3.2 # Code Review
- standard: SOC2
controls:
- CC7.1 # Security Operations
- CC8.1 # Change ManagementRemember to regularly review and update pipeline configurations as security requirements and tools evolve.
Last updated