Add PHP language support to gitlab-advanced-sast

2025-06-29 15:08:29 +02:00 · 2025-06-02 09:52:33 +01:00 · 2025-06-02 09:52:33 +01:00 · 11e99e2111
commit 11e99e2111
parent 8c3e0d154d
2 changed files with 95 additions and 70 deletions
--- a/README.md
+++ b/README.md
@ -50,8 +50,8 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit
 | `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | 
 | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
 | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job  |
-| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | 
-| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | 
+| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) |
+| `ff_glas_enable_php_support` | `"true"` | Set it to `"false"` to disable [PHP support for GLAS](https://gitlab.com/groups/gitlab-org/-/epics/14273) |

 ## Infrastructure as Code (IaC) Scanning

--- a/templates/sast.yml
+++ b/templates/sast.yml
@ -21,6 +21,9 @@ spec:
      type: boolean
    include_experimental:
      default: 'false'
+    ff_glas_enable_php_support:
+      default: true
+      type: boolean
 ---
 .sast-analyzer:
  stage: $[[ inputs.stage ]]
@ -48,11 +51,83 @@ spec:
  rules:
    - when: never

+.gitlab-advanced-sast-exist-rules:
+  exists:
+    - '**/*.py'
+    - '**/*.go'
+    - '**/*.java'
+    - '**/*.jsp'
+    - '**/*.js'
+    - '**/*.jsx'
+    - '**/*.ts'
+    - '**/*.tsx'
+    - '**/*.cjs'
+    - '**/*.mjs'
+    - '**/*.cs'
+    - '**/*.rb'
+    - '**/*.php'
+
+.semgrep-with-advanced-sast-exist-rules:
+  exists:
+    - '**/*.c'
+    - '**/*.cc'
+    - '**/*.cpp'
+    - '**/*.c++'
+    - '**/*.cp'
+    - '**/*.cxx'
+    - '**/*.h'
+    - '**/*.hpp'
+    - '**/*.scala'
+    - '**/*.sc'
+    - '**/*.php'
+    - '**/*.swift'
+    - '**/*.m'
+    - '**/*.kt'
+    - '**/*.properties'
+    - '**/application*.yml'
+    - '**/bootstrap*.yml'
+    - '**/application*.yaml'
+    - '**/bootstrap*.yaml'
+
+.semgrep-exist-rules:
+  exists:
+    - '**/*.py'
+    - '**/*.js'
+    - '**/*.jsx'
+    - '**/*.ts'
+    - '**/*.tsx'
+    - '**/*.c'
+    - '**/*.cc'
+    - '**/*.cpp'
+    - '**/*.c++'
+    - '**/*.cp'
+    - '**/*.cxx'
+    - '**/*.h'
+    - '**/*.hpp'
+    - '**/*.go'
+    - '**/*.java'
+    - '**/*.cs'
+    - '**/*.scala'
+    - '**/*.sc'
+    - '**/*.php'
+    - '**/*.swift'
+    - '**/*.m'
+    - '**/*.rb'
+    - '**/*.kt'
+    - '**/*.cjs'
+    - '**/*.mjs'
+    - '**/*.properties'
+    - '**/application*.yml'
+    - '**/bootstrap*.yml'
+    - '**/application*.yaml'
+    - '**/bootstrap*.yaml'
+
 gitlab-advanced-sast:
  extends: .sast-analyzer
  image:
    name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]"
  variables:
+    FF_GLAS_ENABLE_PHP_SUPPORT: "$[[ inputs.ff_glas_enable_php_support ]]"
    SAST_ANALYZER_IMAGE_TAG: 2
    SEARCH_MAX_DEPTH: 20
  cache:
@ -68,19 +143,7 @@ gitlab-advanced-sast:
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/
-      exists:
-        - '**/*.py'
-        - '**/*.go'
-        - '**/*.java'
-        - '**/*.jsp'
-        - '**/*.js'
-        - '**/*.jsx'
-        - '**/*.ts'
-        - '**/*.tsx'
-        - '**/*.cjs'
-        - '**/*.mjs'
-        - '**/*.cs'
-        - '**/*.rb'
+      exists: !reference [.gitlab-advanced-sast-exist-rules, exists]

 brakeman-sast:
  extends: .deprecated-16.8
@ -138,72 +201,34 @@ semgrep-sast:
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
      when: never
-    # In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast
+    # When gitlab-advanced-sast runs with PHP support enabled, exclude the `*.php` extension, as well as other files already scanned by gitlab-advanced-sast
    - if: '$CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
-          "$[[ inputs.run_advanced_sast ]]" == "true"'
+          "$[[ inputs.run_advanced_sast ]]" == "true" &&
+          "$[[ inputs.ff_glas_enable_php_support ]]" == "true"'
+      variables:
+        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb, **/*.php"
+      exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
+    # When gitlab-advanced-sast runs but PHP support is disabled, exclude files already scanned by gitlab-advanced-sast
+    - if: '$CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
+          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
+          "$[[ inputs.run_advanced_sast ]]" == "true" &&
+          "$[[ inputs.ff_glas_enable_php_support ]]" != "true"'
      variables:
        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb"
-      exists:
-        - '**/*.c'
-        - '**/*.cc'
-        - '**/*.cpp'
-        - '**/*.c++'
-        - '**/*.cp'
-        - '**/*.cxx'
-        - '**/*.h'
-        - '**/*.hpp'
-        - '**/*.scala'
-        - '**/*.sc'
-        - '**/*.php'
-        - '**/*.swift'
-        - '**/*.m'
-        - '**/*.kt'
-        - '**/*.properties'
-        - '**/application*.yml'
-        - '**/bootstrap*.yml'
-        - '**/application*.yaml'
-        - '**/bootstrap*.yaml'
-    ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
+      exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
+    # Fallback when advanced SAST covers everything
    - if: '$CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
          "$[[ inputs.run_advanced_sast ]]" == "true"'
      when: never
+    # Default case - run for all supported files
    - if: $CI_COMMIT_BRANCH
-      exists:
-        - '**/*.py'
-        - '**/*.js'
-        - '**/*.jsx'
-        - '**/*.ts'
-        - '**/*.tsx'
-        - '**/*.c'
-        - '**/*.cc'
-        - '**/*.cpp'
-        - '**/*.c++'
-        - '**/*.cp'
-        - '**/*.cxx'
-        - '**/*.h'
-        - '**/*.hpp'
-        - '**/*.go'
-        - '**/*.java'
-        - '**/*.cs'
-        - '**/*.scala'
-        - '**/*.sc'
-        - '**/*.php'
-        - '**/*.swift'
-        - '**/*.m'
-        - '**/*.rb'
-        - '**/*.kt'
-        - '**/*.cjs'
-        - '**/*.mjs'
-        - '**/*.properties'
-        - '**/application*.yml'
-        - '**/bootstrap*.yml'
-        - '**/application*.yaml'
-        - '**/bootstrap*.yaml'
-        
+      exists: !reference [.semgrep-exist-rules, exists]
+
 sobelow-sast:
  extends: .sast-analyzer
  image: