vor/sast
1
0
Fork 0
mirror of https://gitlab.com/components/sast.git synced 2025-06-30 07:28:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch '514659-enable-gitlab-advanced-sast-by-default' into 'main'

Browse source 
Update SAST component to execute GitLab Advanced SAST by default

See merge request components/sast!17
This commit is contained in:
Adam Cohen 2025-03-04 13:25:47 +11:00
commit a0174ad4d1
2 changed files with 80 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -44,7 +44,7 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit
| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job |
| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ]
| `run_advanced_sast` | `true` | Set it to `false` to disable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ]
| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) |
## Contribute

149
templates/sast.yml
View file

@ -17,7 +17,7 @@ spec:
run_kubesec_sast:
default: 'false'
run_advanced_sast:
default: false
default: true
type: boolean
include_experimental:
default: 'false'
@ -58,23 +58,95 @@ gitlab-advanced-sast:
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/'
when: never
- if: '"$[[ inputs.run_advanced_sast ]]" != "true"'
- if: '"$[[ inputs.run_advanced_sast ]]" == "false"'
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/
exists:
- '**/*.py'
- '**/*.go'
- '**/*.java'
# extensions that are only supported by gitlab-advanced-sast
- '**/*.jsp'
# extensions that are supported by both gitlab-advanced-sast and semgrep-sast
- '**/*.cjs'
- '**/*.cs'
- '**/*.go'
- '**/*.py'
- '**/*.java'
- '**/*.js'
- '**/*.jsx'
- '**/*.mjs'
- '**/*.rb'
- '**/*.ts'
- '**/*.tsx'
semgrep-sast:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/semgrep:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
variables:
SEARCH_MAX_DEPTH: 20
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
when: never
# In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast
- if: '$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" != "false"'
variables:
# don't scan any extensions that are supported by both gitlab-advanced-sast and semgrep-sast, since we assume
# that gitlab-advanced-sast has already scanned these file extensions
SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.cjs, **/*.cs, **/*.go, **/*.py, **/*.java, **/*.js, **/*.jsx, **/*.mjs, **/*.rb, **/*.ts, **/*.tsx"
exists:
# extensions that are only supported by semgrep-sast
- '**/*.c'
- '**/*.c++'
- '**/*.cc'
- '**/*.cp'
- '**/*.cpp'
- '**/*.cxx'
- '**/*.h'
- '**/*.hpp'
- '**/*.kt'
- '**/*.m'
- '**/*.php'
- '**/*.sc'
- '**/*.scala'
- '**/*.swift'
## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
- if: '$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" != "false"'
when: never
- if: $CI_COMMIT_BRANCH
exists:
# extensions that are supported by both gitlab-advanced-sast and semgrep-sast
- '**/*.cjs'
- '**/*.mjs'
- '**/*.cs'
- '**/*.go'
- '**/*.py'
- '**/*.java'
- '**/*.js'
- '**/*.jsx'
- '**/*.mjs'
- '**/*.rb'
- '**/*.ts'
- '**/*.tsx'
# extensions that are only supported by semgrep-sast
- '**/*.c'
- '**/*.c++'
- '**/*.cc'
- '**/*.cp'
- '**/*.cpp'
- '**/*.cxx'
- '**/*.h'
- '**/*.hpp'
- '**/*.kt'
- '**/*.m'
- '**/*.php'
- '**/*.sc'
- '**/*.scala'
- '**/*.swift'
brakeman-sast:
extends: .deprecated-16.8
@ -123,71 +195,6 @@ security-code-scan-sast:
rules:
- when: never
semgrep-sast:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/semgrep:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
variables:
SEARCH_MAX_DEPTH: 20
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
when: never
# In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast
- if: '$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" == "true"'
variables:
SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb"
exists:
- '**/*.c'
- '**/*.cc'
- '**/*.cpp'
- '**/*.c++'
- '**/*.cp'
- '**/*.cxx'
- '**/*.h'
- '**/*.hpp'
- '**/*.scala'
- '**/*.sc'
- '**/*.php'
- '**/*.swift'
- '**/*.m'
- '**/*.kt'
## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
- if: '$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" == "true"'
when: never
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.py'
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
- '**/*.c'
- '**/*.cc'
- '**/*.cpp'
- '**/*.c++'
- '**/*.cp'
- '**/*.cxx'
- '**/*.h'
- '**/*.hpp'
- '**/*.go'
- '**/*.java'
- '**/*.cs'
- '**/*.scala'
- '**/*.sc'
- '**/*.php'
- '**/*.swift'
- '**/*.m'
- '**/*.rb'
- '**/*.kt'
- '**/*.cjs'
- '**/*.mjs'
sobelow-sast:
extends: .sast-analyzer
image: