vor/sast
1
0
Fork 0
mirror of https://gitlab.com/components/sast.git synced 2025-06-30 15:38:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'philipcunningham-make-php-support-available-in-glas-523657' into 'main'

Browse source 
Add PHP language support to gitlab-advanced-sast

See merge request components/sast!21
This commit is contained in:
Philip Cunningham 2025-05-27 13:43:21 +01:00
commit 13113d88c2
2 changed files with 95 additions and 69 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -44,8 +44,9 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit
| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | | `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job |
| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ] | `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) |
| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | | `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) |
| `ff_glas_enable_php_support` | `"true"` | Set it to `"false"` to disable [PHP support for GLAS](https://gitlab.com/groups/gitlab-org/-/epics/14273) |
## Contribute ## Contribute

159
templates/sast.yml
View file

@ -21,6 +21,9 @@ spec:
type: boolean type: boolean
include_experimental: include_experimental:
default: 'false' default: 'false'
ff_glas_enable_php_support:
default: true
type: boolean
--- ---
.sast-analyzer: .sast-analyzer:
stage: $[[ inputs.stage ]] stage: $[[ inputs.stage ]]
@ -48,11 +51,83 @@ spec:
rules: rules:
- when: never - when: never
.gitlab-advanced-sast-exist-rules:
exists:
- '**/*.py'
- '**/*.go'
- '**/*.java'
- '**/*.jsp'
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
- '**/*.cjs'
- '**/*.mjs'
- '**/*.cs'
- '**/*.rb'
- '**/*.php'
.semgrep-with-advanced-sast-exist-rules:
exists:
- '**/*.c'
- '**/*.cc'
- '**/*.cpp'
- '**/*.c++'
- '**/*.cp'
- '**/*.cxx'
- '**/*.h'
- '**/*.hpp'
- '**/*.scala'
- '**/*.sc'
- '**/*.php'
- '**/*.swift'
- '**/*.m'
- '**/*.kt'
- '**/*.properties'
- '**/application*.yml'
- '**/bootstrap*.yml'
- '**/application*.yaml'
- '**/bootstrap*.yaml'
.semgrep-exist-rules:
exists:
- '**/*.py'
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
- '**/*.c'
- '**/*.cc'
- '**/*.cpp'
- '**/*.c++'
- '**/*.cp'
- '**/*.cxx'
- '**/*.h'
- '**/*.hpp'
- '**/*.go'
- '**/*.java'
- '**/*.cs'
- '**/*.scala'
- '**/*.sc'
- '**/*.php'
- '**/*.swift'
- '**/*.m'
- '**/*.rb'
- '**/*.kt'
- '**/*.cjs'
- '**/*.mjs'
- '**/*.properties'
- '**/application*.yml'
- '**/bootstrap*.yml'
- '**/application*.yaml'
- '**/bootstrap*.yaml'
gitlab-advanced-sast: gitlab-advanced-sast:
extends: .sast-analyzer extends: .sast-analyzer
image: image:
name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]" name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]"
variables: variables:
FF_GLAS_ENABLE_PHP_SUPPORT: "$[[ inputs.ff_glas_enable_php_support ]]"
SAST_ANALYZER_IMAGE_TAG: 2 SAST_ANALYZER_IMAGE_TAG: 2
SEARCH_MAX_DEPTH: 20 SEARCH_MAX_DEPTH: 20
cache: cache:
@ -68,19 +143,7 @@ gitlab-advanced-sast:
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ $GITLAB_FEATURES =~ /\bsast_advanced\b/
exists: exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
- '**/*.py'
- '**/*.go'
- '**/*.java'
- '**/*.jsp'
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
- '**/*.cjs'
- '**/*.mjs'
- '**/*.cs'
- '**/*.rb'
brakeman-sast: brakeman-sast:
extends: .deprecated-16.8 extends: .deprecated-16.8
@ -138,71 +201,33 @@ semgrep-sast:
rules: rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/' - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
when: never when: never
# In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast # When advanced SAST runs with PHP support enabled
- if: '$CI_COMMIT_BRANCH && - if: '$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ && $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" == "true"' "$[[ inputs.run_advanced_sast ]]" == "true" &&
"$[[ inputs.ff_glas_enable_php_support ]]" == "true"'
variables:
SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb, **/*.php"
exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
# When advanced SAST runs but PHP support is disabled
- if: '$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" == "true" &&
"$[[ inputs.ff_glas_enable_php_support ]]" != "true"'
variables: variables:
SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb" SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb"
exists: exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
- '**/*.c' # Fallback when advanced SAST covers everything
- '**/*.cc'
- '**/*.cpp'
- '**/*.c++'
- '**/*.cp'
- '**/*.cxx'
- '**/*.h'
- '**/*.hpp'
- '**/*.scala'
- '**/*.sc'
- '**/*.php'
- '**/*.swift'
- '**/*.m'
- '**/*.kt'
- '**/*.properties'
- '**/application*.yml'
- '**/bootstrap*.yml'
- '**/application*.yaml'
- '**/bootstrap*.yaml'
## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
- if: '$CI_COMMIT_BRANCH && - if: '$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ && $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" == "true"' "$[[ inputs.run_advanced_sast ]]" == "true"'
when: never when: never
# Default case - run for all supported files
- if: $CI_COMMIT_BRANCH - if: $CI_COMMIT_BRANCH
exists: exists: !reference [.semgrep-exist-rules, exists]
- '**/*.py'
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
- '**/*.c'
- '**/*.cc'
- '**/*.cpp'
- '**/*.c++'
- '**/*.cp'
- '**/*.cxx'
- '**/*.h'
- '**/*.hpp'
- '**/*.go'
- '**/*.java'
- '**/*.cs'
- '**/*.scala'
- '**/*.sc'
- '**/*.php'
- '**/*.swift'
- '**/*.m'
- '**/*.rb'
- '**/*.kt'
- '**/*.cjs'
- '**/*.mjs'
- '**/*.properties'
- '**/application*.yml'
- '**/bootstrap*.yml'
- '**/application*.yaml'
- '**/bootstrap*.yaml'
sobelow-sast: sobelow-sast:
extends: .sast-analyzer extends: .sast-analyzer