From ccd33f9a0234b756a441e5cb4a5ad666a10fd31d Mon Sep 17 00:00:00 2001
From: Philip Cunningham <pcunningham@gitlab.com>
Date: Wed, 26 Mar 2025 10:40:19 +0000
Subject: [PATCH 1/4] Add PHP language support to gitlab-advanced-sast

---
 templates/sast.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/templates/sast.yml b/templates/sast.yml
index ccb3eec..7f1100f 100644
--- a/templates/sast.yml
+++ b/templates/sast.yml
@@ -81,6 +81,7 @@ gitlab-advanced-sast:
         - '**/*.mjs'
         - '**/*.cs'
         - '**/*.rb'
+        - '**/*.php'
 
 brakeman-sast:
   extends: .deprecated-16.8
@@ -144,7 +145,7 @@ semgrep-sast:
           "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
           "$[[ inputs.run_advanced_sast ]]" == "true"'
       variables:
-        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb"
+        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb, **/*.php"
       exists:
         - '**/*.c'
         - '**/*.cc'
@@ -203,7 +204,7 @@ semgrep-sast:
         - '**/bootstrap*.yml'
         - '**/application*.yaml'
         - '**/bootstrap*.yaml'
-        
+
 sobelow-sast:
   extends: .sast-analyzer
   image:

From ccbe245104d5b84d104015b59bc7887381c0b304 Mon Sep 17 00:00:00 2001
From: Philip Cunningham <pcunningham@gitlab.com>
Date: Thu, 22 May 2025 11:41:23 +0100
Subject: [PATCH 2/4] Enable GLAS PHP Support FF by default

---
 templates/sast.yml | 160 ++++++++++++++++++++++++++-------------------
 1 file changed, 92 insertions(+), 68 deletions(-)

diff --git a/templates/sast.yml b/templates/sast.yml
index 7f1100f..2a6aa12 100644
--- a/templates/sast.yml
+++ b/templates/sast.yml
@@ -21,6 +21,9 @@ spec:
       type: boolean
     include_experimental:
       default: 'false'
+    ff_glas_enable_php_support:
+      default: true
+      type: boolean
 ---
 .sast-analyzer:
   stage: $[[ inputs.stage ]]
@@ -48,11 +51,83 @@ spec:
   rules:
     - when: never
 
+.gitlab-advanced-sast-exist-rules:
+  exists:
+    - '**/*.py'
+    - '**/*.go'
+    - '**/*.java'
+    - '**/*.jsp'
+    - '**/*.js'
+    - '**/*.jsx'
+    - '**/*.ts'
+    - '**/*.tsx'
+    - '**/*.cjs'
+    - '**/*.mjs'
+    - '**/*.cs'
+    - '**/*.rb'
+    - '**/*.php'
+
+.semgrep-with-advanced-sast-exist-rules:
+  exists:
+    - '**/*.c'
+    - '**/*.cc'
+    - '**/*.cpp'
+    - '**/*.c++'
+    - '**/*.cp'
+    - '**/*.cxx'
+    - '**/*.h'
+    - '**/*.hpp'
+    - '**/*.scala'
+    - '**/*.sc'
+    - '**/*.php'
+    - '**/*.swift'
+    - '**/*.m'
+    - '**/*.kt'
+    - '**/*.properties'
+    - '**/application*.yml'
+    - '**/bootstrap*.yml'
+    - '**/application*.yaml'
+    - '**/bootstrap*.yaml'
+
+.semgrep-exist-rules:
+  exists:
+    - '**/*.py'
+    - '**/*.js'
+    - '**/*.jsx'
+    - '**/*.ts'
+    - '**/*.tsx'
+    - '**/*.c'
+    - '**/*.cc'
+    - '**/*.cpp'
+    - '**/*.c++'
+    - '**/*.cp'
+    - '**/*.cxx'
+    - '**/*.h'
+    - '**/*.hpp'
+    - '**/*.go'
+    - '**/*.java'
+    - '**/*.cs'
+    - '**/*.scala'
+    - '**/*.sc'
+    - '**/*.php'
+    - '**/*.swift'
+    - '**/*.m'
+    - '**/*.rb'
+    - '**/*.kt'
+    - '**/*.cjs'
+    - '**/*.mjs'
+    - '**/*.properties'
+    - '**/application*.yml'
+    - '**/bootstrap*.yml'
+    - '**/application*.yaml'
+    - '**/bootstrap*.yaml'
+
 gitlab-advanced-sast:
   extends: .sast-analyzer
   image:
     name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]"
   variables:
+    FF_GLAS_ENABLE_PHP_SUPPORT: "$[[ inputs.ff_glas_enable_php_support ]]"
     SAST_ANALYZER_IMAGE_TAG: 2
     SEARCH_MAX_DEPTH: 20
   cache:
@@ -68,20 +143,7 @@ gitlab-advanced-sast:
       when: never
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bsast_advanced\b/
-      exists:
-        - '**/*.py'
-        - '**/*.go'
-        - '**/*.java'
-        - '**/*.jsp'
-        - '**/*.js'
-        - '**/*.jsx'
-        - '**/*.ts'
-        - '**/*.tsx'
-        - '**/*.cjs'
-        - '**/*.mjs'
-        - '**/*.cs'
-        - '**/*.rb'
-        - '**/*.php'
+      exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
 
 brakeman-sast:
   extends: .deprecated-16.8
@@ -139,71 +201,33 @@ semgrep-sast:
   rules:
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
       when: never
-    # In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast
+    # When advanced SAST runs with PHP support enabled
     - if: '$CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
           "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
-          "$[[ inputs.run_advanced_sast ]]" == "true"'
+          "$[[ inputs.run_advanced_sast ]]" == "true" &&
+          "$[[ inputs.ff_glas_enable_php_support ]]" == "true"'
       variables:
         SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb, **/*.php"
-      exists:
-        - '**/*.c'
-        - '**/*.cc'
-        - '**/*.cpp'
-        - '**/*.c++'
-        - '**/*.cp'
-        - '**/*.cxx'
-        - '**/*.h'
-        - '**/*.hpp'
-        - '**/*.scala'
-        - '**/*.sc'
-        - '**/*.php'
-        - '**/*.swift'
-        - '**/*.m'
-        - '**/*.kt'
-        - '**/*.properties'
-        - '**/application*.yml'
-        - '**/bootstrap*.yml'
-        - '**/application*.yaml'
-        - '**/bootstrap*.yaml'
-    ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
+      exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
+    # When advanced SAST runs but PHP support is disabled
+    - if: '$CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
+          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
+          "$[[ inputs.run_advanced_sast ]]" == "true" &&
+          "$[[ inputs.ff_glas_enable_php_support ]]" != "true"'
+      variables:
+        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb"
+      exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
+    # Fallback when advanced SAST covers everything
     - if: '$CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
           "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
           "$[[ inputs.run_advanced_sast ]]" == "true"'
       when: never
+    # Default case - run for all supported files
     - if: $CI_COMMIT_BRANCH
-      exists:
-        - '**/*.py'
-        - '**/*.js'
-        - '**/*.jsx'
-        - '**/*.ts'
-        - '**/*.tsx'
-        - '**/*.c'
-        - '**/*.cc'
-        - '**/*.cpp'
-        - '**/*.c++'
-        - '**/*.cp'
-        - '**/*.cxx'
-        - '**/*.h'
-        - '**/*.hpp'
-        - '**/*.go'
-        - '**/*.java'
-        - '**/*.cs'
-        - '**/*.scala'
-        - '**/*.sc'
-        - '**/*.php'
-        - '**/*.swift'
-        - '**/*.m'
-        - '**/*.rb'
-        - '**/*.kt'
-        - '**/*.cjs'
-        - '**/*.mjs'
-        - '**/*.properties'
-        - '**/application*.yml'
-        - '**/bootstrap*.yml'
-        - '**/application*.yaml'
-        - '**/bootstrap*.yaml'
+      exists: !reference [.semgrep-exist-rules, exists]
 
 sobelow-sast:
   extends: .sast-analyzer

From abc0479a550697a6b0c30c88862e53f6292ed6e1 Mon Sep 17 00:00:00 2001
From: Julian Thome <jthome@gitlab.com>
Date: Tue, 27 May 2025 14:39:02 +0200
Subject: [PATCH 3/4] include ff parameter in documentation

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index ca020ac..62dd9c8 100644
--- a/README.md
+++ b/README.md
@@ -46,6 +46,7 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit
 | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job  |
 | `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ]
 | `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) |
+| `ff_glas_enable_php_support` | `"true"` | Set it to `"false"` to disable [PHP support for GLAS](https://gitlab.com/groups/gitlab-org/-/epics/14273) |
 
 ## Contribute
 

From f546ea469b9fdc9636eb064ceb5c03c964f45baa Mon Sep 17 00:00:00 2001
From: Julian Thome <jthome@gitlab.com>
Date: Tue, 27 May 2025 14:43:15 +0200
Subject: [PATCH 4/4] fix formatting

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 62dd9c8..c797054 100644
--- a/README.md
+++ b/README.md
@@ -44,7 +44,7 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit
 | `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
 | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
 | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job  |
-| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ]
+| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) |
 | `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) |
 | `ff_glas_enable_php_support` | `"true"` | Set it to `"false"` to disable [PHP support for GLAS](https://gitlab.com/groups/gitlab-org/-/epics/14273) |