Merge branch 'add-clangsa' into 'main'

Draft: Add clangsa analyzer See merge request components/sast!29
Add clangsa analyzer
2025-06-29 23:18:28 +02:00 · 2025-06-17 08:55:07 -04:00 · 2025-06-16 15:10:19 -04:00
1 changed files with 22 additions and 16 deletions
--- a/templates/sast.yml
+++ b/templates/sast.yml
@ -69,14 +69,6 @@ spec:

 .semgrep-with-advanced-sast-exist-rules:
  exists:
-    - '**/*.c'
-    - '**/*.cc'
-    - '**/*.cpp'
-    - '**/*.c++'
-    - '**/*.cp'
-    - '**/*.cxx'
-    - '**/*.h'
-    - '**/*.hpp'
    - '**/*.scala'
    - '**/*.sc'
    - '**/*.php'
@ -96,14 +88,6 @@ spec:
    - '**/*.jsx'
    - '**/*.ts'
    - '**/*.tsx'
-    - '**/*.c'
-    - '**/*.cc'
-    - '**/*.cpp'
-    - '**/*.c++'
-    - '**/*.cp'
-    - '**/*.cxx'
-    - '**/*.h'
-    - '**/*.hpp'
    - '**/*.go'
    - '**/*.java'
    - '**/*.cs'
@ -254,3 +238,25 @@ spotbugs-sast:
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/*.groovy'
+
+clangsa-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$CI_TEMPLATE_REGISTRY_HOST/gitlab-org/security-products/analyzers/clangsa:0"
+  script: |-
+    # until https://gitlab.com/gitlab-org/gitlab/-/issues/549837, prevent sast_fp_reduction
+    export GITLAB_FEATURES=$(echo "$GITLAB_FEATURES" | sed 's/\bsast_fp_reduction\b//g' | sed 's/,,/,/g' | sed 's/^,//g' | sed 's/,$//g')
+    /analyzer run
+  rules:
+    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /clangsa/'
+      when: never
+    - if: $CI_COMMIT_BRANCH
+      exists:
+        - "**/*.c"
+        - "**/*.cc"
+        - "**/*.cpp"
+        - "**/*.c++"
+        - "**/*.cp"
+        - "**/*.cxx"
+        - "**/*.h"
+        - "**/*.hpp"
Author	SHA1	Message	Date
Jason Leasure	7ca5ca1f13	Merge branch 'add-clangsa' into 'main' Draft: Add clangsa analyzer See merge request components/sast!29	2025-06-17 08:55:07 -04:00
Jason Leasure	4c73c42d91	Add clangsa analyzer	2025-06-16 15:10:19 -04:00