diff --git a/README.md b/README.md index ca020ac..e1d843c 100644 --- a/README.md +++ b/README.md @@ -44,9 +44,9 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit | `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | -| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ] +| `run_advanced_sast` | `true` | Set it to `false` to disable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ] | `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | ## Contribute -Please read about CI/CD components and best practices at: https://docs.gitlab.com/ee/ci/components +Please read about CI/CD components and best practices at: https://docs.gitlab.com/ee/ci/components diff --git a/templates/sast.yml b/templates/sast.yml index 1ce3f54..38e1e78 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -17,7 +17,7 @@ spec: run_kubesec_sast: default: 'false' run_advanced_sast: - default: false + default: true type: boolean include_experimental: default: 'false' @@ -58,23 +58,95 @@ gitlab-advanced-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/' when: never - - if: '"$[[ inputs.run_advanced_sast ]]" != "true"' + - if: '"$[[ inputs.run_advanced_sast ]]" == "false"' when: never - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast_advanced\b/ exists: - - '**/*.py' - - '**/*.go' - - '**/*.java' + # extensions that are only supported by gitlab-advanced-sast - '**/*.jsp' + # extensions that are supported by both gitlab-advanced-sast and semgrep-sast + - '**/*.cjs' + - '**/*.cs' + - '**/*.go' + - '**/*.py' + - '**/*.java' - '**/*.js' - '**/*.jsx' + - '**/*.mjs' + - '**/*.rb' - '**/*.ts' - '**/*.tsx' + +semgrep-sast: + extends: .sast-analyzer + image: + name: "$[[ inputs.image_prefix ]]/semgrep:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" + variables: + SEARCH_MAX_DEPTH: 20 + rules: + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/' + when: never + # In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast + - if: '$CI_COMMIT_BRANCH && + $GITLAB_FEATURES =~ /\bsast_advanced\b/ && + "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && + "$[[ inputs.run_advanced_sast ]]" != "false"' + variables: + # don't scan any extensions that are supported by both gitlab-advanced-sast and semgrep-sast, since we assume + # that gitlab-advanced-sast has already scanned these file extensions + SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.cjs, **/*.cs, **/*.go, **/*.py, **/*.java, **/*.js, **/*.jsx, **/*.mjs, **/*.rb, **/*.ts, **/*.tsx" + exists: + # extensions that are only supported by semgrep-sast + - '**/*.c' + - '**/*.c++' + - '**/*.cc' + - '**/*.cp' + - '**/*.cpp' + - '**/*.cxx' + - '**/*.h' + - '**/*.hpp' + - '**/*.kt' + - '**/*.m' + - '**/*.php' + - '**/*.sc' + - '**/*.scala' + - '**/*.swift' + ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned + - if: '$CI_COMMIT_BRANCH && + $GITLAB_FEATURES =~ /\bsast_advanced\b/ && + "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && + "$[[ inputs.run_advanced_sast ]]" != "false"' + when: never + - if: $CI_COMMIT_BRANCH + exists: + # extensions that are supported by both gitlab-advanced-sast and semgrep-sast - '**/*.cjs' - - '**/*.mjs' - '**/*.cs' + - '**/*.go' + - '**/*.py' + - '**/*.java' + - '**/*.js' + - '**/*.jsx' + - '**/*.mjs' - '**/*.rb' + - '**/*.ts' + - '**/*.tsx' + # extensions that are only supported by semgrep-sast + - '**/*.c' + - '**/*.c++' + - '**/*.cc' + - '**/*.cp' + - '**/*.cpp' + - '**/*.cxx' + - '**/*.h' + - '**/*.hpp' + - '**/*.kt' + - '**/*.m' + - '**/*.php' + - '**/*.sc' + - '**/*.scala' + - '**/*.swift' brakeman-sast: extends: .deprecated-16.8 @@ -123,71 +195,6 @@ security-code-scan-sast: rules: - when: never -semgrep-sast: - extends: .sast-analyzer - image: - name: "$[[ inputs.image_prefix ]]/semgrep:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" - variables: - SEARCH_MAX_DEPTH: 20 - rules: - - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/' - when: never - # In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast - - if: '$CI_COMMIT_BRANCH && - $GITLAB_FEATURES =~ /\bsast_advanced\b/ && - "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && - "$[[ inputs.run_advanced_sast ]]" == "true"' - variables: - SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb" - exists: - - '**/*.c' - - '**/*.cc' - - '**/*.cpp' - - '**/*.c++' - - '**/*.cp' - - '**/*.cxx' - - '**/*.h' - - '**/*.hpp' - - '**/*.scala' - - '**/*.sc' - - '**/*.php' - - '**/*.swift' - - '**/*.m' - - '**/*.kt' - ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned - - if: '$CI_COMMIT_BRANCH && - $GITLAB_FEATURES =~ /\bsast_advanced\b/ && - "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && - "$[[ inputs.run_advanced_sast ]]" == "true"' - when: never - - if: $CI_COMMIT_BRANCH - exists: - - '**/*.py' - - '**/*.js' - - '**/*.jsx' - - '**/*.ts' - - '**/*.tsx' - - '**/*.c' - - '**/*.cc' - - '**/*.cpp' - - '**/*.c++' - - '**/*.cp' - - '**/*.cxx' - - '**/*.h' - - '**/*.hpp' - - '**/*.go' - - '**/*.java' - - '**/*.cs' - - '**/*.scala' - - '**/*.sc' - - '**/*.php' - - '**/*.swift' - - '**/*.m' - - '**/*.rb' - - '**/*.kt' - - '**/*.cjs' - - '**/*.mjs' - sobelow-sast: extends: .sast-analyzer image: