From fb486fb1a3ca2cb68f3fe7e6cb2f83a8ac0718eb Mon Sep 17 00:00:00 2001 From: Duncan Macleod Date: Fri, 6 Sep 2024 15:31:27 +0100 Subject: [PATCH] support advanced-sast closes #4 --- README.md | 1 + templates/sast.yml | 60 +++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 60 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 876cefb..81a1dee 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,7 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit | `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | +| `advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ] | `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | ## Contribute diff --git a/templates/sast.yml b/templates/sast.yml index 1df0240..0fc6cfb 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -16,6 +16,9 @@ spec: default: '4' run_kubesec_sast: default: 'false' + advanced_sast: + default: false + type: boolean include_experimental: default: 'false' --- @@ -27,7 +30,8 @@ spec: # E.g. SEARCH_MAX_DEPTH is overridden in some analyzers. We should pass the input instead. variables: SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] - SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]] + DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]] + SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS" script: - /analyzer run artifacts: @@ -44,6 +48,31 @@ spec: rules: - when: never +gitlab-advanced-sast: + extends: .sast-analyzer + image: + name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]" + variables: + SAST_ANALYZER_IMAGE_TAG: 1 + SEARCH_MAX_DEPTH: 20 + rules: + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/' + when: never + - if: '"$[[ inputs.advanced_sast ]]" != "true"' + when: never + - if: $CI_COMMIT_BRANCH && + $GITLAB_FEATURES =~ /\bsast_advanced\b/ + exists: + - '**/*.py' + - '**/*.go' + - '**/*.java' + - '**/*.js' + - '**/*.jsx' + - '**/*.ts' + - '**/*.tsx' + - '**/*.cjs' + - '**/*.mjs' + - '**/*.cs' brakeman-sast: extends: .deprecated-16.8 @@ -101,6 +130,35 @@ semgrep-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/' when: never + # In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast + - if: '$CI_COMMIT_BRANCH && + $GITLAB_FEATURES =~ /\bsast_advanced\b/ && + "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && + "$[[ inputs.advanced_sast ]]" == "true"' + variables: + SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs" + exists: + - '**/*.c' + - '**/*.cc' + - '**/*.cpp' + - '**/*.c++' + - '**/*.cp' + - '**/*.cxx' + - '**/*.h' + - '**/*.hpp' + - '**/*.scala' + - '**/*.sc' + - '**/*.php' + - '**/*.swift' + - '**/*.m' + - '**/*.rb' + - '**/*.kt' + ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned + - if: '$CI_COMMIT_BRANCH && + $GITLAB_FEATURES =~ /\bsast_advanced\b/ && + "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && + "$[[ inputs.advanced_sast ]]" == "true"' + when: never - if: $CI_COMMIT_BRANCH exists: - '**/*.py'