- added analysis

.gitlab-ci.yml

@@ -16,6 +16,7 @@
 stages:          # List of stages for jobs, and their order of execution
   - build
   - test
+  - analysis
   - packaging
 
 variables:
@@ -27,6 +28,13 @@ variables:
   ARTIFACT_COMPRESSION_LEVEL: "fast"
   CACHE_COMPRESSION_LEVEL: "fast"
 #  CI_DEBUG_TRACE: "true"
+  SAST_DEFAULT_ANALYZERS: "spotbugs"
+  SAST_EXCLUDED_ANALYZERS: ""
+  SAST_JAVA_VERSION: 11
+
+include:
+  - template: Security/SAST.gitlab-ci.yml
+  - template: Security/Secret-Detection.gitlab-ci.yml
 
 default:
   image:
@@ -76,6 +84,53 @@ test-job:
     - ROSETTASDK=$ROSETTASDK make -e check_prerequisites
     - ROSETTASDK=$ROSETTASDK make -e test
 
+spotbugs-sast:
+  stage: analysis
+  variables:
+    FAIL_NEVER: 1
+  tags:
+    - cmr
+  artifacts:
+    paths:
+      - gl-sast-report.json
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+      when: always
+    - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
+      when: always
+    - if: '$CI_COMMIT_BRANCH == "main"'
+      when: always
+    - when: manual
+      allow_failure: true
+
+secret_detection:
+  stage: analysis
+  tags:
+    - cmr
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+      when: always
+    - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
+      when: always
+    - if: '$CI_COMMIT_BRANCH == "main"'
+      when: always
+    - when: manual
+      allow_failure: true
+
+eslint-sast:
+  stage: analysis
+  tags:
+    - cmr
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+      when: always
+    - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
+      when: always
+    - if: '$CI_COMMIT_BRANCH == "main"'
+      when: always
+    - when: manual
+      allow_failure: true
+
 
 packaging-job:
   stage: packaging