From 4852fea0ce8b49d6fc69e3d1551f1f23b9a8136e Mon Sep 17 00:00:00 2001 From: Craig Smith <5344211-craigmsmith@users.noreply.gitlab.com> Date: Tue, 7 May 2024 13:33:41 +0000 Subject: [PATCH 01/21] Disable analyzer replaced by semgrep --- .gitlab-ci.yml | 4 +-- templates/sast.yml | 76 ++++++++++++++-------------------------------- 2 files changed, 25 insertions(+), 55 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 058bc38..f71afe0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -3,12 +3,12 @@ include: stages: [test, release] -ensure-brakeman-job-added: +ensure-semgrep-job-added: image: badouralix/curl-jq script: - | route="$CI_API_V4_URL/projects/$CI_PROJECT_ID/pipelines/$CI_PIPELINE_ID/jobs" - count=`curl --silent $route | jq 'map(select(.name | contains("brakeman-sast"))) | length'` + count=`curl --silent $route | jq 'map(select(.name | contains("semgrep-sast"))) | length'` if [ "$count" != "1" ]; then exit 1 fi diff --git a/templates/sast.yml b/templates/sast.yml index a3f3bff..ac78956 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -34,19 +34,7 @@ spec: reports: sast: gl-sast-report.json -brakeman-sast: - extends: .sast-analyzer - image: - name: "$[[ inputs.image_prefix ]]/brakeman:$[[ inputs.image_tag ]]" - rules: - - if: '"$[[ inputs.excluded_analyzers ]]" =~ /brakeman/' - when: never - - if: $CI_COMMIT_BRANCH - exists: - - '**/*.rb' - - '**/Gemfile' - -flawfinder-sast: +.deprecated-16.8: extends: .sast-analyzer script: - echo "This job was deprecated in GitLab 16.8 and removed in GitLab 17.0" @@ -55,6 +43,13 @@ flawfinder-sast: rules: - when: never + +brakeman-sast: + extends: .deprecated-16.8 + +flawfinder-sast: + extends: .deprecated-16.8 + kubesec-sast: extends: .sast-analyzer image: @@ -64,52 +59,17 @@ kubesec-sast: when: never - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"' -.mobsf-sast: - extends: .sast-analyzer - image: - name: "$[[ inputs.image_prefix ]]/mobsf:$[[ inputs.image_tag ]]" - mobsf-android-sast: - extends: .mobsf-sast - rules: - - if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/' - when: never - - if: '$CI_COMMIT_BRANCH && "$[[ inputs.include_experimental ]]" == "true"' - exists: - - '**/*.apk' - - '**/AndroidManifest.xml' + extends: .deprecated-16.8 mobsf-ios-sast: - extends: .mobsf-sast - rules: - - if: '"$[[ inputs.excluded_analyzers ]]" =~ /mobsf/' - when: never - - if: '$CI_COMMIT_BRANCH && "$[[ inputs.include_experimental ]]" == "true"' - exists: - - '**/*.ipa' - - '**/*.xcodeproj/*' + extends: .deprecated-16.8 nodejs-scan-sast: - extends: .sast-analyzer - image: - name: "$[[ inputs.image_prefix ]]/nodejs-scan:$[[ inputs.image_tag ]]" - rules: - - if: '"$[[ inputs.excluded_analyzers ]]" =~ /nodejs-scan/' - when: never - - if: $CI_COMMIT_BRANCH - exists: - - '**/package.json' + extends: .deprecated-16.8 phpcs-security-audit-sast: - extends: .sast-analyzer - image: - name: "$[[ inputs.image_prefix ]]/phpcs-security-audit:$[[ inputs.image_tag ]]" - rules: - - if: '"$[[ inputs.excluded_analyzers ]]" =~ /phpcs-security-audit/' - when: never - - if: $CI_COMMIT_BRANCH - exists: - - '**/*.php' + extends: .deprecated-16.8 pmd-apex-sast: extends: .sast-analyzer @@ -148,12 +108,22 @@ semgrep-sast: - '**/*.ts' - '**/*.tsx' - '**/*.c' + - '**/*.cc' + - '**/*.cpp' + - '**/*.c++' + - '**/*.cp' + - '**/*.cxx' - '**/*.go' - '**/*.java' - - '**/*.cs' - '**/*.html' + - '**/*.cs' - '**/*.scala' - '**/*.sc' + - '**/*.php' + - '**/*.swift' + - '**/*.m' + - '**/*.rb' + - '**/*.kt' sobelow-sast: extends: .sast-analyzer From 6e626ca47661466e3a47ffc7afdb613b961ae10f Mon Sep 17 00:00:00 2001 From: Craig Smith <5344211-craigmsmith@users.noreply.gitlab.com> Date: Wed, 8 May 2024 15:13:14 +1000 Subject: [PATCH 02/21] Bump SAST major analyzer version to 5 --- templates/sast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/sast.yml b/templates/sast.yml index ac78956..048ee87 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -5,7 +5,7 @@ spec: image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" image_tag: - default: '4' + default: '5' image_suffix: default: "" excluded_analyzers: From da62bda8293b6e45fbf2fc0ca9c84e0720cfccfd Mon Sep 17 00:00:00 2001 From: Connor Gilbert Date: Wed, 22 May 2024 18:32:05 +0000 Subject: [PATCH 03/21] Remove Scala and Kotlin from SpotBugs --- templates/sast.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/templates/sast.yml b/templates/sast.yml index 048ee87..d739f1b 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -150,5 +150,3 @@ spotbugs-sast: - if: $CI_COMMIT_BRANCH exists: - '**/*.groovy' - - '**/*.scala' - - '**/*.kt' From 70b25f51acfc2c16cc76fc1284b2ea7d5807f2bf Mon Sep 17 00:00:00 2001 From: Ahmed Hemdan Date: Tue, 25 Jun 2024 18:22:33 +0200 Subject: [PATCH 04/21] Run a couple of jobs only on Gitlab.com --- .gitlab-ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f71afe0..f9c85ae 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -13,7 +13,7 @@ ensure-semgrep-job-added: exit 1 fi rules: - - if: $CI_COMMIT_BRANCH + - if: $CI_COMMIT_BRANCH && $CI_SERVER_HOST =~ /gitlab.com/ # Ensure that a project description exists, because it will be important to display # the resource in the catalog. @@ -29,6 +29,8 @@ check-description: else echo "Description set" fi + rules: + - if: $CI_SERVER_HOST =~ /gitlab.com/ # Ensure that a `README.md` exists in the root directory as it represents the # documentation for the whole components repository. From ab9a7d68619cd8a9c4403f778191a312c9777139 Mon Sep 17 00:00:00 2001 From: Tal Kopel Date: Tue, 16 Jul 2024 10:18:20 +0000 Subject: [PATCH 05/21] Update file sast.yml --- templates/sast.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/sast.yml b/templates/sast.yml index d739f1b..7da16bd 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -124,6 +124,8 @@ semgrep-sast: - '**/*.m' - '**/*.rb' - '**/*.kt' + - '**/*.cjs' + - '**/*.mjs' sobelow-sast: extends: .sast-analyzer From 15ceb61e9802a43fe570f2996d355580a617c4aa Mon Sep 17 00:00:00 2001 From: Tal Kopel Date: Sun, 28 Jul 2024 10:58:34 +0000 Subject: [PATCH 06/21] Restricting access to reports --- templates/sast.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/sast.yml b/templates/sast.yml index 7da16bd..14e6399 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -31,6 +31,7 @@ spec: script: - /analyzer run artifacts: + access: 'developer' reports: sast: gl-sast-report.json From d2b153a0eada2eeff569f9186b6ee1057fc3c8e9 Mon Sep 17 00:00:00 2001 From: Isaac Dawson Date: Mon, 29 Jul 2024 03:54:31 +0000 Subject: [PATCH 07/21] Update sast.yml to match Jobs/SAST.gitlab-ci.yml exists --- templates/sast.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/sast.yml b/templates/sast.yml index 14e6399..1df0240 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -114,9 +114,10 @@ semgrep-sast: - '**/*.c++' - '**/*.cp' - '**/*.cxx' + - '**/*.h' + - '**/*.hpp' - '**/*.go' - '**/*.java' - - '**/*.html' - '**/*.cs' - '**/*.scala' - '**/*.sc' From 6cf357976eafcfda026febddfba3745451f94af6 Mon Sep 17 00:00:00 2001 From: Duncan Macleod Date: Tue, 1 Oct 2024 20:24:04 +0000 Subject: [PATCH 08/21] Add support for advanced sast --- README.md | 1 + templates/sast.yml | 61 +++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 61 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 876cefb..ca020ac 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,7 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit | `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | +| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ] | `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | ## Contribute diff --git a/templates/sast.yml b/templates/sast.yml index 1df0240..1ce3f54 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -16,6 +16,9 @@ spec: default: '4' run_kubesec_sast: default: 'false' + run_advanced_sast: + default: false + type: boolean include_experimental: default: 'false' --- @@ -27,7 +30,8 @@ spec: # E.g. SEARCH_MAX_DEPTH is overridden in some analyzers. We should pass the input instead. variables: SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] - SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]] + DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]] + SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS" script: - /analyzer run artifacts: @@ -44,6 +48,33 @@ spec: rules: - when: never +gitlab-advanced-sast: + extends: .sast-analyzer + image: + name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]" + variables: + SAST_ANALYZER_IMAGE_TAG: 1 + SEARCH_MAX_DEPTH: 20 + rules: + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/' + when: never + - if: '"$[[ inputs.run_advanced_sast ]]" != "true"' + when: never + - if: $CI_COMMIT_BRANCH && + $GITLAB_FEATURES =~ /\bsast_advanced\b/ + exists: + - '**/*.py' + - '**/*.go' + - '**/*.java' + - '**/*.jsp' + - '**/*.js' + - '**/*.jsx' + - '**/*.ts' + - '**/*.tsx' + - '**/*.cjs' + - '**/*.mjs' + - '**/*.cs' + - '**/*.rb' brakeman-sast: extends: .deprecated-16.8 @@ -101,6 +132,34 @@ semgrep-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/' when: never + # In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast + - if: '$CI_COMMIT_BRANCH && + $GITLAB_FEATURES =~ /\bsast_advanced\b/ && + "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && + "$[[ inputs.run_advanced_sast ]]" == "true"' + variables: + SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb" + exists: + - '**/*.c' + - '**/*.cc' + - '**/*.cpp' + - '**/*.c++' + - '**/*.cp' + - '**/*.cxx' + - '**/*.h' + - '**/*.hpp' + - '**/*.scala' + - '**/*.sc' + - '**/*.php' + - '**/*.swift' + - '**/*.m' + - '**/*.kt' + ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned + - if: '$CI_COMMIT_BRANCH && + $GITLAB_FEATURES =~ /\bsast_advanced\b/ && + "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && + "$[[ inputs.run_advanced_sast ]]" == "true"' + when: never - if: $CI_COMMIT_BRANCH exists: - '**/*.py' From ca69838c0f63e8364865afb804f96fd41448a4c5 Mon Sep 17 00:00:00 2001 From: Ahmed Hemdan Date: Mon, 27 Jan 2025 10:26:44 +0100 Subject: [PATCH 09/21] Add LICENSE --- LICENSE | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..0fb88d0 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2023 GitLab Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. From ca92338af75a4ab585379e18df6dca553f7a45a3 Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Tue, 4 Mar 2025 11:03:24 +0000 Subject: [PATCH 10/21] Add newly supported file extensions yml, .properties --- templates/sast.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/templates/sast.yml b/templates/sast.yml index 1ce3f54..927d012 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -154,6 +154,9 @@ semgrep-sast: - '**/*.swift' - '**/*.m' - '**/*.kt' + - '**/*.yml' + - '**/*.yaml' + - '**/*.properties' ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned - if: '$CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast_advanced\b/ && @@ -187,7 +190,10 @@ semgrep-sast: - '**/*.kt' - '**/*.cjs' - '**/*.mjs' - + - '**/*.yml' + - '**/*.yaml' + - '**/*.properties' + sobelow-sast: extends: .sast-analyzer image: From 2919a042981daf36c562695955dc056f5c79a167 Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Mon, 17 Mar 2025 15:06:27 +0100 Subject: [PATCH 11/21] Refine exists patterns in components template --- templates/sast.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/templates/sast.yml b/templates/sast.yml index 927d012..6dad115 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -154,9 +154,11 @@ semgrep-sast: - '**/*.swift' - '**/*.m' - '**/*.kt' - - '**/*.yml' - - '**/*.yaml' - '**/*.properties' + - '**/application*.yml' + - '**/bootstrap*.yml' + - '**/application*.yaml' + - '**/bootstrap*.yaml' ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned - if: '$CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast_advanced\b/ && @@ -190,9 +192,11 @@ semgrep-sast: - '**/*.kt' - '**/*.cjs' - '**/*.mjs' - - '**/*.yml' - - '**/*.yaml' - '**/*.properties' + - '**/application*.yml' + - '**/bootstrap*.yml' + - '**/application*.yaml' + - '**/bootstrap*.yaml' sobelow-sast: extends: .sast-analyzer From 446d4146f594e3a4373e66b82bbd55cfc76f4ca6 Mon Sep 17 00:00:00 2001 From: "hyan@gitlab.com" Date: Thu, 27 Mar 2025 16:51:36 +1100 Subject: [PATCH 12/21] Test GLAS multicore --- templates/sast.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/templates/sast.yml b/templates/sast.yml index 6dad115..b8c33fe 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -55,6 +55,20 @@ gitlab-advanced-sast: variables: SAST_ANALYZER_IMAGE_TAG: 1 SEARCH_MAX_DEPTH: 20 + SCAN_METRICS_FILE: scan_metrics.csv + cache: + key: "$CI_COMMIT_REF_SLUG-scan-metrics" + paths: + - "$SCAN_METRICS_FILE" + policy: pull-push + artifacts: + access: 'developer' + reports: + sast: gl-sast-report.json + paths: + - "$SCAN_METRICS_FILE" + when: always + expire_in: 7 days rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/' when: never From c6ea9d4f34116c8f2b4f4efc58dd3846ea1d20f1 Mon Sep 17 00:00:00 2001 From: "hyan@gitlab.com" Date: Fri, 4 Apr 2025 11:29:31 +1100 Subject: [PATCH 13/21] Test GLAS multicore --- templates/sast.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/templates/sast.yml b/templates/sast.yml index b8c33fe..cafc8f1 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -60,15 +60,6 @@ gitlab-advanced-sast: key: "$CI_COMMIT_REF_SLUG-scan-metrics" paths: - "$SCAN_METRICS_FILE" - policy: pull-push - artifacts: - access: 'developer' - reports: - sast: gl-sast-report.json - paths: - - "$SCAN_METRICS_FILE" - when: always - expire_in: 7 days rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/' when: never From 4ea446f709bbe776fef6fdb8d7d8b5b4356bfe48 Mon Sep 17 00:00:00 2001 From: "hyan@gitlab.com" Date: Tue, 8 Apr 2025 10:57:15 +1000 Subject: [PATCH 14/21] Improve cache --- templates/sast.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/templates/sast.yml b/templates/sast.yml index cafc8f1..0d0145d 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -57,7 +57,9 @@ gitlab-advanced-sast: SEARCH_MAX_DEPTH: 20 SCAN_METRICS_FILE: scan_metrics.csv cache: - key: "$CI_COMMIT_REF_SLUG-scan-metrics" + key: "scan-metrics-$CI_COMMIT_REF_SLUG" + fallback_keys: + - "scan-metrics-$CI_DEFAULT_BRANCH" paths: - "$SCAN_METRICS_FILE" rules: From 8c5526b0f42c4f5f709c80360b7d3b65e9c9c975 Mon Sep 17 00:00:00 2001 From: Hua Yan Date: Wed, 23 Apr 2025 13:01:09 +1000 Subject: [PATCH 15/21] Set path as "scan_metrics.csv" --- templates/sast.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/templates/sast.yml b/templates/sast.yml index 0d0145d..d16055d 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -55,13 +55,12 @@ gitlab-advanced-sast: variables: SAST_ANALYZER_IMAGE_TAG: 1 SEARCH_MAX_DEPTH: 20 - SCAN_METRICS_FILE: scan_metrics.csv cache: key: "scan-metrics-$CI_COMMIT_REF_SLUG" fallback_keys: - "scan-metrics-$CI_DEFAULT_BRANCH" paths: - - "$SCAN_METRICS_FILE" + - "scan_metrics.csv" rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/' when: never From 70e258313531c24ed6edbac44f9adfc5caae9450 Mon Sep 17 00:00:00 2001 From: "hyan@gitlab.com" Date: Mon, 28 Apr 2025 13:30:50 +1000 Subject: [PATCH 16/21] Bump analyser versions for 18.0 --- templates/sast.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/sast.yml b/templates/sast.yml index 6dad115..028d190 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -5,7 +5,7 @@ spec: image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" image_tag: - default: '5' + default: '6' image_suffix: default: "" excluded_analyzers: @@ -53,7 +53,7 @@ gitlab-advanced-sast: image: name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]" variables: - SAST_ANALYZER_IMAGE_TAG: 1 + SAST_ANALYZER_IMAGE_TAG: 2 SEARCH_MAX_DEPTH: 20 rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/' From ab29b14503d9e299dcc3b5c9f2e5df63cb99620a Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Wed, 28 May 2025 08:44:47 -0400 Subject: [PATCH 17/21] Added KICS IaC Scanner --- README.md | 63 +++++++++++++++++++++++++++++++++--------- templates/iac-sast.yml | 38 +++++++++++++++++++++++++ 2 files changed, 88 insertions(+), 13 deletions(-) create mode 100644 templates/iac-sast.yml diff --git a/README.md b/README.md index ca020ac..c6a0302 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,17 @@ -# SAST (Static Application Security Testing) -Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/ +This project provides components for the use of Static Application Security Testing as well as Infrastructure as Code scanning. -Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html). -List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables +[[_TOC_]] -## Usage +## Static Application Security Testing (SAST) + +### Documentation References + +Configuration for SAST can be performed through [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of [Inputs](https://docs.gitlab.com/ci/inputs/). + +More information about GitLab SAST is available within [GitLab documentation](https://docs.gitlab.com/ee/user/application_security/sast/), along with the [available variables](https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables). + +### Usage You should add this component to an existing `.gitlab-ci.yml` file by using the `include:` keyword. @@ -35,17 +41,48 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit ### Inputs | Input | Default value | Description | -| ----- | ------------- | ----------- | -| `stage` | `test` | The stage where you want the job to be added | -| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | -| `image_tag` | `4` | Tag of the Docker image to use | +| ----- | ------------- | ----------- | +| `stage` | `test` | The stage where you want the job to be added | +| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | +| `image_tag` | `4` | Tag of the Docker image to use | | `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | -| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | -| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | +| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | +| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | -| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ] -| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | +| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | +| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | + +## Infrastructure as Code (IaC) Scanning + +### Documentation References + +Configuration for IaC scanning can be performed through [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of [Inputs](https://docs.gitlab.com/ci/inputs/). + +More information about GitLab Infrastructure as Code scanning is available within [GitLab documentation](https://docs.gitlab.com/user/application_security/iac_scanning/). + +### Usage + +You should add this component to an existing `.gitlab-ci.yml` file by using the `include:` +keyword. + +```yaml +include: + - component: gitlab.com/components/sast/iac-sast@ +``` + +where `` is the latest released tag or `main`. + +### Inputs + +| Input | Default value | Description | +| ----- | ------------- | ----------- | +| `stage` | `test` | The stage where you want the job to be added | +| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | +| `image_tag` | `6` | Tag of the Docker image to use | +| `image_suffix` | `""` | Suffix added to image. | +| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | +| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | ## Contribute diff --git a/templates/iac-sast.yml b/templates/iac-sast.yml new file mode 100644 index 0000000..d657763 --- /dev/null +++ b/templates/iac-sast.yml @@ -0,0 +1,38 @@ +# Component created based on GitLab's IAC SAST Scanning template +# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/ + +spec: + inputs: + stage: + default: test + excluded_paths: + default: "spec, test, tests, tmp" + excluded_analyzers: + default: "" + image_prefix: + default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" + image_suffix: + dafault: "" + search_max_depth: + default: 4 + image_tag: + default: 6 + +--- +kics-iac-sast: + stage: $[[ inputs.stage ]] + image: + name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" + variables: + SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] + script: + - /analyzer run + artifacts: + access: 'developer' + reports: + sast: gl-sast-report.json + allow_failure: true + rules: + - if: $[[ inputs.excluded_analyzers ]] =~ /kics/ + when: never + - if: $CI_COMMIT_BRANCH From 367e3f398930ac22ca71e01b0622f6accf2a40a0 Mon Sep 17 00:00:00 2001 From: Hua Yan Date: Mon, 2 Jun 2025 10:27:26 +1000 Subject: [PATCH 18/21] Fix typo --- templates/iac-sast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/iac-sast.yml b/templates/iac-sast.yml index d657763..3da0295 100644 --- a/templates/iac-sast.yml +++ b/templates/iac-sast.yml @@ -12,7 +12,7 @@ spec: image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" image_suffix: - dafault: "" + default: "" search_max_depth: default: 4 image_tag: From 11e99e2111285791a531e5d3665122251babc267 Mon Sep 17 00:00:00 2001 From: Philip Cunningham Date: Mon, 2 Jun 2025 09:52:33 +0100 Subject: [PATCH 19/21] Add PHP language support to gitlab-advanced-sast --- README.md | 4 +- templates/sast.yml | 161 ++++++++++++++++++++++++++------------------- 2 files changed, 95 insertions(+), 70 deletions(-) diff --git a/README.md b/README.md index c6a0302..ed7a4de 100644 --- a/README.md +++ b/README.md @@ -50,8 +50,8 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit | `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | -| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | -| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | +| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | +| `ff_glas_enable_php_support` | `"true"` | Set it to `"false"` to disable [PHP support for GLAS](https://gitlab.com/groups/gitlab-org/-/epics/14273) | ## Infrastructure as Code (IaC) Scanning diff --git a/templates/sast.yml b/templates/sast.yml index ccb3eec..64e7743 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -21,6 +21,9 @@ spec: type: boolean include_experimental: default: 'false' + ff_glas_enable_php_support: + default: true + type: boolean --- .sast-analyzer: stage: $[[ inputs.stage ]] @@ -48,11 +51,83 @@ spec: rules: - when: never +.gitlab-advanced-sast-exist-rules: + exists: + - '**/*.py' + - '**/*.go' + - '**/*.java' + - '**/*.jsp' + - '**/*.js' + - '**/*.jsx' + - '**/*.ts' + - '**/*.tsx' + - '**/*.cjs' + - '**/*.mjs' + - '**/*.cs' + - '**/*.rb' + - '**/*.php' + +.semgrep-with-advanced-sast-exist-rules: + exists: + - '**/*.c' + - '**/*.cc' + - '**/*.cpp' + - '**/*.c++' + - '**/*.cp' + - '**/*.cxx' + - '**/*.h' + - '**/*.hpp' + - '**/*.scala' + - '**/*.sc' + - '**/*.php' + - '**/*.swift' + - '**/*.m' + - '**/*.kt' + - '**/*.properties' + - '**/application*.yml' + - '**/bootstrap*.yml' + - '**/application*.yaml' + - '**/bootstrap*.yaml' + +.semgrep-exist-rules: + exists: + - '**/*.py' + - '**/*.js' + - '**/*.jsx' + - '**/*.ts' + - '**/*.tsx' + - '**/*.c' + - '**/*.cc' + - '**/*.cpp' + - '**/*.c++' + - '**/*.cp' + - '**/*.cxx' + - '**/*.h' + - '**/*.hpp' + - '**/*.go' + - '**/*.java' + - '**/*.cs' + - '**/*.scala' + - '**/*.sc' + - '**/*.php' + - '**/*.swift' + - '**/*.m' + - '**/*.rb' + - '**/*.kt' + - '**/*.cjs' + - '**/*.mjs' + - '**/*.properties' + - '**/application*.yml' + - '**/bootstrap*.yml' + - '**/application*.yaml' + - '**/bootstrap*.yaml' + gitlab-advanced-sast: extends: .sast-analyzer image: name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]" variables: + FF_GLAS_ENABLE_PHP_SUPPORT: "$[[ inputs.ff_glas_enable_php_support ]]" SAST_ANALYZER_IMAGE_TAG: 2 SEARCH_MAX_DEPTH: 20 cache: @@ -68,19 +143,7 @@ gitlab-advanced-sast: when: never - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast_advanced\b/ - exists: - - '**/*.py' - - '**/*.go' - - '**/*.java' - - '**/*.jsp' - - '**/*.js' - - '**/*.jsx' - - '**/*.ts' - - '**/*.tsx' - - '**/*.cjs' - - '**/*.mjs' - - '**/*.cs' - - '**/*.rb' + exists: !reference [.gitlab-advanced-sast-exist-rules, exists] brakeman-sast: extends: .deprecated-16.8 @@ -138,72 +201,34 @@ semgrep-sast: rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/' when: never - # In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast + # When gitlab-advanced-sast runs with PHP support enabled, exclude the `*.php` extension, as well as other files already scanned by gitlab-advanced-sast - if: '$CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast_advanced\b/ && "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && - "$[[ inputs.run_advanced_sast ]]" == "true"' + "$[[ inputs.run_advanced_sast ]]" == "true" && + "$[[ inputs.ff_glas_enable_php_support ]]" == "true"' + variables: + SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb, **/*.php" + exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists] + # When gitlab-advanced-sast runs but PHP support is disabled, exclude files already scanned by gitlab-advanced-sast + - if: '$CI_COMMIT_BRANCH && + $GITLAB_FEATURES =~ /\bsast_advanced\b/ && + "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && + "$[[ inputs.run_advanced_sast ]]" == "true" && + "$[[ inputs.ff_glas_enable_php_support ]]" != "true"' variables: SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb" - exists: - - '**/*.c' - - '**/*.cc' - - '**/*.cpp' - - '**/*.c++' - - '**/*.cp' - - '**/*.cxx' - - '**/*.h' - - '**/*.hpp' - - '**/*.scala' - - '**/*.sc' - - '**/*.php' - - '**/*.swift' - - '**/*.m' - - '**/*.kt' - - '**/*.properties' - - '**/application*.yml' - - '**/bootstrap*.yml' - - '**/application*.yaml' - - '**/bootstrap*.yaml' - ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned + exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists] + # Fallback when advanced SAST covers everything - if: '$CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast_advanced\b/ && "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ && "$[[ inputs.run_advanced_sast ]]" == "true"' when: never + # Default case - run for all supported files - if: $CI_COMMIT_BRANCH - exists: - - '**/*.py' - - '**/*.js' - - '**/*.jsx' - - '**/*.ts' - - '**/*.tsx' - - '**/*.c' - - '**/*.cc' - - '**/*.cpp' - - '**/*.c++' - - '**/*.cp' - - '**/*.cxx' - - '**/*.h' - - '**/*.hpp' - - '**/*.go' - - '**/*.java' - - '**/*.cs' - - '**/*.scala' - - '**/*.sc' - - '**/*.php' - - '**/*.swift' - - '**/*.m' - - '**/*.rb' - - '**/*.kt' - - '**/*.cjs' - - '**/*.mjs' - - '**/*.properties' - - '**/application*.yml' - - '**/bootstrap*.yml' - - '**/application*.yaml' - - '**/bootstrap*.yaml' - + exists: !reference [.semgrep-exist-rules, exists] + sobelow-sast: extends: .sast-analyzer image: From 164e1f07ad2cc64f82363a150d5d4f96d298cce0 Mon Sep 17 00:00:00 2001 From: Hua Yan Date: Tue, 3 Jun 2025 10:46:50 +1000 Subject: [PATCH 20/21] Try fix --- templates/iac-sast-fix.yml | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 templates/iac-sast-fix.yml diff --git a/templates/iac-sast-fix.yml b/templates/iac-sast-fix.yml new file mode 100644 index 0000000..81ff32c --- /dev/null +++ b/templates/iac-sast-fix.yml @@ -0,0 +1,38 @@ +# Component created based on GitLab's IAC SAST Scanning template +# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/ + +spec: + inputs: + stage: + default: test + excluded_paths: + default: "spec, test, tests, tmp" + excluded_analyzers: + default: "" + image_prefix: + default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" + image_suffix: + default: "" + search_max_depth: + default: 4 + image_tag: + default: 6 + +--- +kics-iac-sast: + stage: $[[ inputs.stage ]] + image: + name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" + variables: + SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] + script: + - /analyzer run + artifacts: + access: 'developer' + reports: + sast: gl-sast-report.json + allow_failure: true + rules: + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kics/' + when: never + - if: $CI_COMMIT_BRANCH From 8ce5c87369619aa2d8548234fae1fb71118384dc Mon Sep 17 00:00:00 2001 From: "hyan@gitlab.com" Date: Tue, 3 Jun 2025 10:54:02 +1000 Subject: [PATCH 21/21] Fix --- templates/iac-sast-fix.yml | 38 -------------------------------------- templates/iac-sast.yml | 2 +- 2 files changed, 1 insertion(+), 39 deletions(-) delete mode 100644 templates/iac-sast-fix.yml diff --git a/templates/iac-sast-fix.yml b/templates/iac-sast-fix.yml deleted file mode 100644 index 81ff32c..0000000 --- a/templates/iac-sast-fix.yml +++ /dev/null @@ -1,38 +0,0 @@ -# Component created based on GitLab's IAC SAST Scanning template -# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/ - -spec: - inputs: - stage: - default: test - excluded_paths: - default: "spec, test, tests, tmp" - excluded_analyzers: - default: "" - image_prefix: - default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" - image_suffix: - default: "" - search_max_depth: - default: 4 - image_tag: - default: 6 - ---- -kics-iac-sast: - stage: $[[ inputs.stage ]] - image: - name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]" - variables: - SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]] - script: - - /analyzer run - artifacts: - access: 'developer' - reports: - sast: gl-sast-report.json - allow_failure: true - rules: - - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kics/' - when: never - - if: $CI_COMMIT_BRANCH diff --git a/templates/iac-sast.yml b/templates/iac-sast.yml index 3da0295..81ff32c 100644 --- a/templates/iac-sast.yml +++ b/templates/iac-sast.yml @@ -33,6 +33,6 @@ kics-iac-sast: sast: gl-sast-report.json allow_failure: true rules: - - if: $[[ inputs.excluded_analyzers ]] =~ /kics/ + - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kics/' when: never - if: $CI_COMMIT_BRANCH