From e94915c35f4f6ce46da71cd77f04f76f1643a2bb Mon Sep 17 00:00:00 2001
From: Fabio Pitino <fpitino@gitlab.com>
Date: Wed, 3 May 2023 11:41:24 +0100
Subject: [PATCH] Remove variable SAST_DISABLED

---
 README.md    | 21 ++++++++++-----------
 template.yml | 24 ------------------------
 2 files changed, 10 insertions(+), 35 deletions(-)

diff --git a/README.md b/README.md
index 77b9717..f861c1f 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,16 @@ include:
 
 where `<VERSION>` is the latest released tag or `main`.
 
+If you want to leverage the `$SAST_DISABLED` variable to define or not the jobs conditionally use `include:rules`.
+Otherwise all SAST jobs will always run when applicable:
+
+```yaml
+include:
+  - component: gitlab.com/gitlab-components/sast@main
+    rules:
+      - if: $SAST_DISABLED != "true"
+```
+
 ### Inputs
 
 | Input | Default value | Description |
@@ -34,16 +44,5 @@ where `<VERSION>` is the latest released tag or `main`.
 
 | Variable | Default value | Description |
 | -------- | ------------- | ----------- |
-| `SAST_DISABLED` | not set | Set to `true` to avoid running any SAST jobs |
 
 ### ToDos
-
-- Move the use of `SAST_DISABLED` to the `include:`
-
-```yaml
-include:
-  - component: gitlab.com/gitlab-components/sast@main
-    inputs: { ... }
-    rules:
-      - if: $SAST_DISABLED != "true"
-```
diff --git a/template.yml b/template.yml
index a9f306d..7ae44c1 100644
--- a/template.yml
+++ b/template.yml
@@ -37,8 +37,6 @@ brakeman-sast:
   image:
     name: "$[[ inputs.image_prefix ]]/brakeman:$[[ inputs.image_tag ]]"
   rules:
-    - if: $SAST_DISABLED
-      when: never
     - if: '"$[ inputs.excluded_analyzers ]" =~ /brakeman/'
       when: never
     - if: $CI_COMMIT_BRANCH
@@ -51,8 +49,6 @@ flawfinder-sast:
   image:
     name: "$[[ inputs.image_prefix ]]/flawfinder:$[[ inputs.image_tag ]]"
   rules:
-    - if: $SAST_DISABLED
-      when: never
     - if: '"$[ inputs.excluded_analyzes ]" =~ /flawfinder/'
       when: never
     - if: $CI_COMMIT_BRANCH
@@ -69,8 +65,6 @@ kubesec-sast:
   image:
     name: "$[[ inputs.image_prefix ]]/kubesec:$[[ inputs.image_tag ]]"
   rules:
-    - if: $SAST_DISABLED
-      when: never
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/'
       when: never
     - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"'
@@ -83,8 +77,6 @@ kubesec-sast:
 mobsf-android-sast:
   extends: .mobsf-sast
   rules:
-    - if: $SAST_DISABLED
-      when: never
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/'
       when: never
     - if: $CI_COMMIT_BRANCH &&
@@ -96,8 +88,6 @@ mobsf-android-sast:
 mobsf-ios-sast:
   extends: .mobsf-sast
   rules:
-    - if: $SAST_DISABLED
-      when: never
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/'
       when: never
     - if: $CI_COMMIT_BRANCH &&
@@ -111,8 +101,6 @@ nodejs-scan-sast:
   image:
     name: "$[[ inputs.image_prefix ]]/nodejs-scan:$[[ inputs.image_tag ]]"
   rules:
-    - if: $SAST_DISABLED
-      when: never
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /nodejs-scan/'
       when: never
     - if: $CI_COMMIT_BRANCH
@@ -124,8 +112,6 @@ phpcs-security-audit-sast:
   image:
     name: "$[[ inputs.image_prefix ]]/phpcs-security-audit:$[[ inputs.image_tag ]]"
   rules:
-    - if: $SAST_DISABLED
-      when: never
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /phpcs-security-audit/'
       when: never
     - if: $CI_COMMIT_BRANCH
@@ -137,8 +123,6 @@ pmd-apex-sast:
   image:
     name: "$[[ inputs.image_prefix ]]/pmd-apex:$[[ inputs.image_tag ]]"
   rules:
-    - if: $SAST_DISABLED
-      when: never
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/'
       when: never
     - if: $CI_COMMIT_BRANCH
@@ -150,8 +134,6 @@ security-code-scan-sast:
   image:
     name: "$[[ inputs.image_prefix ]]/security-code-scan:$[[ inputs.image_tag ]]"
   rules:
-    - if: $SAST_DISABLED
-      when: never
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /security-code-scan/'
       when: never
     - if: $CI_COMMIT_BRANCH
@@ -166,8 +148,6 @@ semgrep-sast:
   variables:
     SEARCH_MAX_DEPTH: 20
   rules:
-    - if: $SAST_DISABLED
-      when: never
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
       when: never
     - if: $CI_COMMIT_BRANCH
@@ -190,8 +170,6 @@ sobelow-sast:
   image:
     name: "$[[ inputs.image_prefix ]]/sobelow:$[[ inputs.image_tag ]]"
   rules:
-    - if: $SAST_DISABLED
-      when: never
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /sobelow/'
       when: never
     - if: $CI_COMMIT_BRANCH
@@ -209,8 +187,6 @@ spotbugs-sast:
       exists:
         - '**/AndroidManifest.xml'
       when: never
-    - if: $SAST_DISABLED
-      when: never
     - if: $CI_COMMIT_BRANCH
       exists:
         - '**/*.groovy'