Enable security checking in GitLab CI

GitLab Ultimate SAST

Advice from CERN security team:

Reduce risk due to suboptimal/unsecure coding practices and exposed/public secrets in version-controlled projects. Enable "Static Application Security Testing" (SAST) and "Secret Detection“ for your pipelines.
Instructions: https://gitlab.docs.cern.ch/docs/Secure%20your%20application/

Note on implementation

From the documentation:

As of February 2023, the Merge Request page does not visually report offences found by the secret_detection or sast job. This is a limitation of the license level used for CERN GitLab (Premium). The pipeline will complete successfully in every case and this is by design. However, the vulnerabilities found are stored as a job artifact in the pipeline in JSON format. This file can be found by navigating to CI/CD > Pipelines, locating a particular pipeline and clicking on its Download Artifacts Button.

This seems inconvenient.

Edited Jun 13, 2023 by Michael Davis