Run GLAS by default

2025-06-30 07:28:29 +02:00 · 2025-03-03 21:05:37 +11:00 · 2025-03-03 21:05:37 +11:00 · 71a6fafabb
commit 71a6fafabb
parent b3beb90502
1 changed files with 78 additions and 71 deletions
--- a/templates/sast.yml
+++ b/templates/sast.yml
@ -17,7 +17,7 @@ spec:
    run_kubesec_sast:
      default: 'false'
    run_advanced_sast:
-      default: false
+      default: true
      type: boolean
    include_experimental:
      default: 'false'
@ -58,23 +58,95 @@ gitlab-advanced-sast:
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/'
      when: never
-    - if: '"$[[ inputs.run_advanced_sast ]]" != "true"'
+    - if: '"$[[ inputs.run_advanced_sast ]]" == "false"'
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/
      exists:
-        - '**/*.py'
-        - '**/*.go'
-        - '**/*.java'
+        # extensions that are only supported by gitlab-advanced-sast
        - '**/*.jsp'
+        # extensions that are supported by both gitlab-advanced-sast and semgrep-sast
+        - '**/*.cjs'
+        - '**/*.cs'
+        - '**/*.go'
+        - '**/*.py'
+        - '**/*.java'
        - '**/*.js'
        - '**/*.jsx'
+        - '**/*.mjs'
+        - '**/*.rb'
        - '**/*.ts'
        - '**/*.tsx'
+
+semgrep-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$[[ inputs.image_prefix ]]/semgrep:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
+  variables:
+    SEARCH_MAX_DEPTH: 20
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
+      when: never
+    # In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast
+    - if: '$CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
+          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
+          "$[[ inputs.run_advanced_sast ]]" != "false"'
+      variables:
+        # don't scan any extensions that are supported by both gitlab-advanced-sast and semgrep-sast, since we assume
+        # that gitlab-advanced-sast has already scanned these file extensions
+        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.cjs, **/*.cs, **/*.go, **/*.py, **/*.java, **/*.js, **/*.jsx, **/*.mjs, **/*.rb, **/*.ts, **/*.tsx"
+      exists:
+        # extensions that are only supported by semgrep-sast
+        - '**/*.c'
+        - '**/*.c++'
+        - '**/*.cc'
+        - '**/*.cp'
+        - '**/*.cpp'
+        - '**/*.cxx'
+        - '**/*.h'
+        - '**/*.hpp'
+        - '**/*.kt'
+        - '**/*.m'
+        - '**/*.php'
+        - '**/*.sc'
+        - '**/*.scala'
+        - '**/*.swift'
+    ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
+    - if: '$CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
+          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
+          "$[[ inputs.run_advanced_sast ]]" != "false"'
+      when: never
+    - if: $CI_COMMIT_BRANCH
+      exists:
+        # extensions that are supported by both gitlab-advanced-sast and semgrep-sast
        - '**/*.cjs'
-        - '**/*.mjs'
        - '**/*.cs'
+        - '**/*.go'
+        - '**/*.py'
+        - '**/*.java'
+        - '**/*.js'
+        - '**/*.jsx'
+        - '**/*.mjs'
        - '**/*.rb'
+        - '**/*.ts'
+        - '**/*.tsx'
+        # extensions that are only supported by semgrep-sast
+        - '**/*.c'
+        - '**/*.c++'
+        - '**/*.cc'
+        - '**/*.cp'
+        - '**/*.cpp'
+        - '**/*.cxx'
+        - '**/*.h'
+        - '**/*.hpp'
+        - '**/*.kt'
+        - '**/*.m'
+        - '**/*.php'
+        - '**/*.sc'
+        - '**/*.scala'
+        - '**/*.swift'

 brakeman-sast:
  extends: .deprecated-16.8
@ -123,71 +195,6 @@ security-code-scan-sast:
  rules:
    - when: never

-semgrep-sast:
-  extends: .sast-analyzer
-  image:
-    name: "$[[ inputs.image_prefix ]]/semgrep:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
-  variables:
-    SEARCH_MAX_DEPTH: 20
-  rules:
-    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
-      when: never
-    # In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast
-    - if: '$CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
-          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
-          "$[[ inputs.run_advanced_sast ]]" == "true"'
-      variables:
-        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb"
-      exists:
-        - '**/*.c'
-        - '**/*.cc'
-        - '**/*.cpp'
-        - '**/*.c++'
-        - '**/*.cp'
-        - '**/*.cxx'
-        - '**/*.h'
-        - '**/*.hpp'
-        - '**/*.scala'
-        - '**/*.sc'
-        - '**/*.php'
-        - '**/*.swift'
-        - '**/*.m'
-        - '**/*.kt'
-    ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
-    - if: '$CI_COMMIT_BRANCH &&
-          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
-          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
-          "$[[ inputs.run_advanced_sast ]]" == "true"'
-      when: never
-    - if: $CI_COMMIT_BRANCH
-      exists:
-        - '**/*.py'
-        - '**/*.js'
-        - '**/*.jsx'
-        - '**/*.ts'
-        - '**/*.tsx'
-        - '**/*.c'
-        - '**/*.cc'
-        - '**/*.cpp'
-        - '**/*.c++'
-        - '**/*.cp'
-        - '**/*.cxx'
-        - '**/*.h'
-        - '**/*.hpp'
-        - '**/*.go'
-        - '**/*.java'
-        - '**/*.cs'
-        - '**/*.scala'
-        - '**/*.sc'
-        - '**/*.php'
-        - '**/*.swift'
-        - '**/*.m'
-        - '**/*.rb'
-        - '**/*.kt'
-        - '**/*.cjs'
-        - '**/*.mjs'
-
 sobelow-sast:
  extends: .sast-analyzer
  image: