From 4c73c42d9122bc5e3d86f4cbd3e15a2ba2e7865b Mon Sep 17 00:00:00 2001
From: Jason Leasure <jleasure@gitlab.com>
Date: Mon, 16 Jun 2025 12:14:54 -0400
Subject: [PATCH] Add clangsa analyzer

---
 templates/sast.yml | 38 ++++++++++++++++++++++----------------
 1 file changed, 22 insertions(+), 16 deletions(-)

diff --git a/templates/sast.yml b/templates/sast.yml
index 64e7743..79c713d 100644
--- a/templates/sast.yml
+++ b/templates/sast.yml
@@ -69,14 +69,6 @@ spec:
 
 .semgrep-with-advanced-sast-exist-rules:
   exists:
-    - '**/*.c'
-    - '**/*.cc'
-    - '**/*.cpp'
-    - '**/*.c++'
-    - '**/*.cp'
-    - '**/*.cxx'
-    - '**/*.h'
-    - '**/*.hpp'
     - '**/*.scala'
     - '**/*.sc'
     - '**/*.php'
@@ -96,14 +88,6 @@ spec:
     - '**/*.jsx'
     - '**/*.ts'
     - '**/*.tsx'
-    - '**/*.c'
-    - '**/*.cc'
-    - '**/*.cpp'
-    - '**/*.c++'
-    - '**/*.cp'
-    - '**/*.cxx'
-    - '**/*.h'
-    - '**/*.hpp'
     - '**/*.go'
     - '**/*.java'
     - '**/*.cs'
@@ -254,3 +238,25 @@ spotbugs-sast:
     - if: $CI_COMMIT_BRANCH
       exists:
         - '**/*.groovy'
+
+clangsa-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$CI_TEMPLATE_REGISTRY_HOST/gitlab-org/security-products/analyzers/clangsa:0"
+  script: |-
+    # until https://gitlab.com/gitlab-org/gitlab/-/issues/549837, prevent sast_fp_reduction
+    export GITLAB_FEATURES=$(echo "$GITLAB_FEATURES" | sed 's/\bsast_fp_reduction\b//g' | sed 's/,,/,/g' | sed 's/^,//g' | sed 's/,$//g')
+    /analyzer run
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /clangsa/'
+      when: never
+    - if: $CI_COMMIT_BRANCH
+      exists:
+        - "**/*.c"
+        - "**/*.cc"
+        - "**/*.cpp"
+        - "**/*.c++"
+        - "**/*.cp"
+        - "**/*.cxx"
+        - "**/*.h"
+        - "**/*.hpp"