Add clangsa analyzer

templates/sast.yml

@@ -69,14 +69,6 @@ spec:
 
 .semgrep-with-advanced-sast-exist-rules:
   exists:
-    - '**/*.c'
-    - '**/*.cc'
-    - '**/*.cpp'
-    - '**/*.c++'
-    - '**/*.cp'
-    - '**/*.cxx'
-    - '**/*.h'
-    - '**/*.hpp'
     - '**/*.scala'
     - '**/*.sc'
     - '**/*.php'
@@ -96,14 +88,6 @@ spec:
     - '**/*.jsx'
     - '**/*.ts'
     - '**/*.tsx'
-    - '**/*.c'
-    - '**/*.cc'
-    - '**/*.cpp'
-    - '**/*.c++'
-    - '**/*.cp'
-    - '**/*.cxx'
-    - '**/*.h'
-    - '**/*.hpp'
     - '**/*.go'
     - '**/*.java'
     - '**/*.cs'
@@ -254,3 +238,25 @@ spotbugs-sast:
     - if: $CI_COMMIT_BRANCH
       exists:
         - '**/*.groovy'
+
+clangsa-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$CI_TEMPLATE_REGISTRY_HOST/gitlab-org/security-products/analyzers/clangsa:0"
+  script: |-
+    # until https://gitlab.com/gitlab-org/gitlab/-/issues/549837, prevent sast_fp_reduction
+    export GITLAB_FEATURES=$(echo "$GITLAB_FEATURES" | sed 's/\bsast_fp_reduction\b//g' | sed 's/,,/,/g' | sed 's/^,//g' | sed 's/,$//g')
+    /analyzer run
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /clangsa/'
+      when: never
+    - if: $CI_COMMIT_BRANCH
+      exists:
+        - "**/*.c"
+        - "**/*.cc"
+        - "**/*.cpp"
+        - "**/*.c++"
+        - "**/*.cp"
+        - "**/*.cxx"
+        - "**/*.h"
+        - "**/*.hpp"