Compliance framwork with SAST scan `.gitlab-ci.yml` as Docker Compose file

Summary

When puting SAST template inside Compliance Framework together with Container Scanning and activate in the CI project, it treats the CI file same as Docker Compose file and show weird vulnerability of Docker Compose

The starting lines of .gitlab-ci.yml file contains:

image: docker:24
services:
  - docker:24-dind

container_scanning:
  variables:
    CS_IMAGE: $CI_REGISTRY_IMAGE/dummy-image:$CI_COMMIT_REF_SLUG

The vulnerability report shows:

{"version":"15.0.7","vulnerabilities":[{"id":"fcb944515fc70fea7583835783a7bb4ceaf10cac41d3fdc025bb5226e15fcfb0","category":"sast","name":"Attribute 'security_opt' should be defined.","description":"Docker compose file does not have 'security_opt' attribute","cve":"kics_id:610e266e-6c12-4bca-9925-1ed0cd29742b:3:0","severity":"Medium","scanner":{"id":"kics","name":"kics"},"location":{"file":".gitlab-ci.yml","start_line":3},"identifiers":[{"type":"kics_id","name":"Security Opt Not Set","value":"610e266e-6c12-4bca-9925-1ed0cd29742b","url":"https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt"}]}}}

Steps to reproduce

• Create new project under root group Test Compliance Framework and create new file for compliance pipeline .compliance-pipeline.yml
• Put inside this file the scanning templates

---
include:  # Execute individual project's configuration (if project contains .gitlab-ci.yml)
  - project: '$CI_PROJECT_PATH'
    file: '$CI_CONFIG_PATH'
    ref: '$CI_COMMIT_SHA' # Must be defined or MR pipelines always use the use default branch
    rules:
      - if: $CI_PROJECT_PATH != "digitalrecruiters/compliance-pipeline"
  - template: Jobs/SAST.latest.gitlab-ci.yml
  - template: Jobs/Container-Scanning.latest.gitlab-ci.yml
  - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
  - template: Jobs/SAST-IaC.latest.gitlab-ci.yml
  - template: Jobs/Secret-Detection.latest.gitlab-ci.yml

• Create Compliance Framework from root group: Setting -> General -> Compliance frameworks
• Create new project: SAST test with new CI file .gitlab-ci.yml
• Put content of image, services and container_scanning inside this CI file:

image: docker:24
services:
  - docker:24-dind

container_scanning:
  variables:
    CS_IMAGE: $CI_REGISTRY_IMAGE/dummy-image:$CI_COMMIT_REF_SLUG
...

Example Project

• Compliance Pipeline project: https://gitlab.com/dhluong/compliance-pipeline-sast-bug

• SAST-test project with pipeline: https://gitlab.com/dhluong/sast-bug

What is the current bug behavior?

What is the expected correct behavior?

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes