Add support for advanced sast

2025-06-30 07:28:29 +02:00 · 2024-10-01 20:24:04 +00:00 · 2024-10-01 20:24:04 +00:00 · 6cf357976e
commit 6cf357976e
parent e51eb34e0f
2 changed files with 61 additions and 1 deletions
--- a/templates/sast.yml
+++ b/templates/sast.yml
@ -16,6 +16,9 @@ spec:
      default: '4'
    run_kubesec_sast:
      default: 'false'
+    run_advanced_sast:
+      default: false
+      type: boolean
    include_experimental:
      default: 'false'
 ---
@ -27,7 +30,8 @@ spec:
  # E.g. SEARCH_MAX_DEPTH is overridden in some analyzers. We should pass the input instead.
  variables:
    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
-    SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]]
+    DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]]
+    SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS"
  script:
    - /analyzer run
  artifacts:
@ -44,6 +48,33 @@ spec:
  rules:
    - when: never

+gitlab-advanced-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]"
+  variables:
+    SAST_ANALYZER_IMAGE_TAG: 1
+    SEARCH_MAX_DEPTH: 20
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/'
+      when: never
+    - if: '"$[[ inputs.run_advanced_sast ]]" != "true"'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/
+      exists:
+        - '**/*.py'
+        - '**/*.go'
+        - '**/*.java'
+        - '**/*.jsp'
+        - '**/*.js'
+        - '**/*.jsx'
+        - '**/*.ts'
+        - '**/*.tsx'
+        - '**/*.cjs'
+        - '**/*.mjs'
+        - '**/*.cs'
+        - '**/*.rb'

 brakeman-sast:
  extends: .deprecated-16.8
@ -101,6 +132,34 @@ semgrep-sast:
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
      when: never
+    # In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast
+    - if: '$CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
+          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
+          "$[[ inputs.run_advanced_sast ]]" == "true"'
+      variables:
+        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb"
+      exists:
+        - '**/*.c'
+        - '**/*.cc'
+        - '**/*.cpp'
+        - '**/*.c++'
+        - '**/*.cp'
+        - '**/*.cxx'
+        - '**/*.h'
+        - '**/*.hpp'
+        - '**/*.scala'
+        - '**/*.sc'
+        - '**/*.php'
+        - '**/*.swift'
+        - '**/*.m'
+        - '**/*.kt'
+    ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
+    - if: '$CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
+          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
+          "$[[ inputs.run_advanced_sast ]]" == "true"'
+      when: never
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/*.py'