vor/sast
1
0
Fork 0
mirror of https://gitlab.com/components/sast.git synced 2025-06-30 07:28:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'upgrade_to_latest_rules' into 'main'

Browse source 
Upgrade to latest rules

See merge request components/sast!27
This commit is contained in:
Klok 2025-06-03 08:02:17 +00:00
commit ad37f3831f
1 changed files with 138 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

143
templates/sast.yml
View file

@ -24,6 +24,9 @@ spec:
ff_glas_enable_php_support:
default: true
type: boolean
enable_mr_pipelines:
default: true
type: boolean
---
.sast-analyzer:
stage: $[[ inputs.stage ]]
@ -141,10 +144,26 @@ gitlab-advanced-sast:
when: never
- if: '"$[[ inputs.run_advanced_sast ]]" != "true"'
when: never
# The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline*
# when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3
# to cover both the *MR pipeline* and the *branch pipeline* workflows.
# 1. Run the job in an *MR* pipeline if MR pipelines are enabled and there's an open merge request.
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_PIPELINE_SOURCE == "merge_request_event" &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/'
exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
# 2. Don't run the job in a *branch pipeline* if *MR pipelines* are enabled and there's an open merge request.
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_OPEN_MERGE_REQUESTS'
when: never
# 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled, or it is enabled but no open MRs exist for the branch).
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/
exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
brakeman-sast:
extends: .deprecated-16.8
@ -158,7 +177,23 @@ kubesec-sast:
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/'
when: never
- if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"'
# The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline*
# when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3
# to cover both the *MR pipeline* and the *branch pipeline* workflows.
# 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request.
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_PIPELINE_SOURCE == "merge_request_event" &&
"$[[ inputs.run_kubesec_sast ]]" == "true"'
# 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request.
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_OPEN_MERGE_REQUESTS'
when: never
# 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch).
- if: '$CI_COMMIT_BRANCH &&
"$[[ inputs.run_kubesec_sast ]]" == "true"'
mobsf-android-sast:
extends: .deprecated-16.8
@ -172,6 +207,10 @@ nodejs-scan-sast:
phpcs-security-audit-sast:
extends: .deprecated-16.8
.pmd-apex-exist-rules:
exists:
- '**/*.cls'
pmd-apex-sast:
extends: .sast-analyzer
image:
@ -179,9 +218,23 @@ pmd-apex-sast:
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/'
when: never
# The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline*
# when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3
# to cover both the *MR pipeline* and the *branch pipeline* workflows.
# 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request.
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_PIPELINE_SOURCE == "merge_request_event"'
exists: !reference [.pmd-apex-exist-rules, exists]
# 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request.
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_OPEN_MERGE_REQUESTS'
when: never
# 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch).
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.cls'
exists: !reference [.pmd-apex-exist-rules, exists]
security-code-scan-sast:
extends: .sast-analyzer
@ -201,6 +254,49 @@ semgrep-sast:
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
when: never
# The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline*
# when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3
# to cover both the *MR pipeline* and the *branch pipeline* workflows.
# 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request.
# When gitlab-advanced-sast runs with PHP support enabled, exclude the `*.php` extension, as well as other files already scanned by gitlab-advanced-sast
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_PIPELINE_SOURCE == "merge_request_event" &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" == "true" &&
"$[[ inputs.ff_glas_enable_php_support ]]" == "true"'
variables:
SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb, **/*.php"
exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
# When gitlab-advanced-sast runs but PHP support is disabled, exclude files already scanned by gitlab-advanced-sast
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_PIPELINE_SOURCE == "merge_request_event" &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" == "true" &&
"$[[ inputs.ff_glas_enable_php_support ]]" != "true"' #TODO: Shouldnt this be disabled?
variables:
SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb"
exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
# Fallback when advanced SAST covers everything
- if: '$CI_PIPELINE_SOURCE == "merge_request_event" &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" == "true"'
when: never
# Default case - run for all supported files
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_PIPELINE_SOURCE == "merge_request_event"'
exists: !reference [.semgrep-exist-rules, exists]
# 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request.
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_OPEN_MERGE_REQUESTS'
when: never
# 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch).
# When gitlab-advanced-sast runs with PHP support enabled, exclude the `*.php` extension, as well as other files already scanned by gitlab-advanced-sast
- if: '$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
@ -229,6 +325,10 @@ semgrep-sast:
- if: $CI_COMMIT_BRANCH
exists: !reference [.semgrep-exist-rules, exists]
.sobelow-exist-rules:
exists:
- '**/mix.exs'
sobelow-sast:
extends: .sast-analyzer
image:
@ -236,9 +336,27 @@ sobelow-sast:
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /sobelow/'
when: never
# The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline*
# when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3
# to cover both the *MR pipeline* and the *branch pipeline* workflows.
# 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request.
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_PIPELINE_SOURCE == "merge_request_event"'
exists: !reference [.sobelow-exist-rules, exists]
# 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request.
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_OPEN_MERGE_REQUESTS'
when: never
# 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch).
- if: $CI_COMMIT_BRANCH
exists: !reference [.sobelow-exist-rules, exists]
.spotbugs-exist-rules:
exists:
- '**/mix.exs'
- '**/*.groovy'
spotbugs-sast:
extends: .sast-analyzer
@ -250,7 +368,20 @@ spotbugs-sast:
- if: '"$[[ inputs.include_experimental ]]" == "true"'
exists:
- '**/AndroidManifest.xml'
when: never # TODO: Should this be never?
# The following 3 blocks of rules define whether the job runs in a an *MR pipeline* or a *branch pipeline*
# when an MR exists. If the job has additional rules to observe they should be added in the blocks 1 and 3
# to cover both the *MR pipeline* and the *branch pipeline* workflows.
# 1. Run the job in an *MR* pipeline if MR pipelines for AST are enabled and there's an open merge request.
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_PIPELINE_SOURCE == "merge_request_event"'
exists: !reference [.spotbugs-exist-rules, exists]
# 2. Don't run the job in a *branch pipeline* if *MR pipelines* for AST are enabled and there's an open merge request.
- if: '"$[[ inputs.enable_mr_pipelines ]]" == "true" &&
$CI_OPEN_MERGE_REQUESTS'
when: never
# 3. Finally, run the job in a *branch pipeline* (When MR pipelines are disabled for AST, or it is enabled but no open MRs exist for the branch).
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.groovy'
exists: !reference [.spotbugs-exist-rules, exists]