support advanced-sast

closes #4

README.md

@@ -44,6 +44,7 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit
 | `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
 | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
 | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job  |
+| `advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ]
 | `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) |
 
 ## Contribute

templates/sast.yml

@@ -16,6 +16,9 @@ spec:
       default: '4'
     run_kubesec_sast:
       default: 'false'
+    advanced_sast:
+      default: false
+      type: boolean
     include_experimental:
       default: 'false'
 ---
@@ -27,7 +30,8 @@ spec:
   # E.g. SEARCH_MAX_DEPTH is overridden in some analyzers. We should pass the input instead.
   variables:
     SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
-    SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]]
+    DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]]
+    SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS"
   script:
     - /analyzer run
   artifacts:
@@ -44,6 +48,31 @@ spec:
   rules:
     - when: never
 
+gitlab-advanced-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]"
+  variables:
+    SAST_ANALYZER_IMAGE_TAG: 1
+    SEARCH_MAX_DEPTH: 20
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
+      when: never
+    - if: '"$[[ inputs.advanced_sast ]]" != "true"'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/
+      exists:
+        - '**/*.py'
+        - '**/*.go'
+        - '**/*.java'
+        - '**/*.js'
+        - '**/*.jsx'
+        - '**/*.ts'
+        - '**/*.tsx'
+        - '**/*.cjs'
+        - '**/*.mjs'
+        - '**/*.cs'
 
 brakeman-sast:
   extends: .deprecated-16.8
@@ -101,6 +130,35 @@ semgrep-sast:
   rules:
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
       when: never
+    # In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast
+    - if: '$CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
+          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
+          "$[[ inputs.advanced_sast ]]" == "true"'
+      variables:
+        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs"
+      exists:
+        - '**/*.c'
+        - '**/*.cc'
+        - '**/*.cpp'
+        - '**/*.c++'
+        - '**/*.cp'
+        - '**/*.cxx'
+        - '**/*.h'
+        - '**/*.hpp'
+        - '**/*.scala'
+        - '**/*.sc'
+        - '**/*.php'
+        - '**/*.swift'
+        - '**/*.m'
+        - '**/*.rb'
+        - '**/*.kt'
+    ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
+    - if: '$CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
+          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
+          "$[[ inputs.advanced_sast ]]" == "true"'
+      when: never
     - if: $CI_COMMIT_BRANCH
       exists:
         - '**/*.py'