Merge branch 'hyan/fix-iac-sast' into 'main'

Fix syntax error in iac-sast.yml See merge request components/sast!26
Fix
2025-06-30 15:38:29 +02:00 · 2025-06-03 11:27:24 +10:00 · 2025-06-03 10:54:02 +10:00 · 2025-06-03 10:46:50 +10:00 · 2025-06-02 11:23:50 +02:00 · 2025-06-02 10:52:33 +02:00
4 changed files with 238 additions and 37 deletions
--- a/21
+++ b/21
@ -0,0 +1,21 @@
 MIT License
 Copyright (c) 2023 GitLab Inc.
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/README.md
+++ b/README.md
@ -1,11 +1,17 @@
 # SAST (Static Application Security Testing)
-Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/
+This project provides components for the use of Static Application Security Testing as well as Infrastructure as Code scanning. 
-Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
+[[_TOC_]]
 List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables
-## Usage
+## Static Application Security Testing (SAST)
 ### Documentation References
 Configuration for SAST can be performed through [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of [Inputs](https://docs.gitlab.com/ci/inputs/). 
 More information about GitLab SAST is available within [GitLab documentation](https://docs.gitlab.com/ee/user/application_security/sast/), along with the [available variables](https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables).
 ### Usage
 You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
 keyword.
@ -35,16 +41,48 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit
 ### Inputs
 | Input | Default value | Description |
-| ----- | ------------- | ----------- |
+| ----- | ------------- | ----------- | 
-| `stage` | `test`      | The stage where you want the job to be added |
+| `stage` | `test`      | The stage where you want the job to be added | 
-| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from |
+| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | 
-| `image_tag` | `4` | Tag of the Docker image to use |
+| `image_tag` | `4` | Tag of the Docker image to use | 
 | `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer |
-| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run |
+| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | 
-| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
+| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | 
 | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
 | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job  |
-| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) |
+| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) |
 | `ff_glas_enable_php_support` | `"true"` | Set it to `"false"` to disable [PHP support for GLAS](https://gitlab.com/groups/gitlab-org/-/epics/14273) |
 ## Infrastructure as Code (IaC) Scanning
 ### Documentation References
 Configuration for IaC scanning can be performed through [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of [Inputs](https://docs.gitlab.com/ci/inputs/). 
 More information about GitLab Infrastructure as Code scanning is available within [GitLab documentation](https://docs.gitlab.com/user/application_security/iac_scanning/). 
 ### Usage
 You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
 keyword.
 ```yaml
 include:
  - component: gitlab.com/components/sast/iac-sast@<VERSION>
 ```
 where `<VERSION>` is the latest released tag or `main`.
 ### Inputs
 | Input | Default value | Description |
 | ----- | ------------- | ----------- | 
 | `stage` | `test`      | The stage where you want the job to be added | 
 | `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | 
 | `image_tag` | `6` | Tag of the Docker image to use | 
 | `image_suffix` | `""` | Suffix added to image. |
 | `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
 | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
 ## Contribute
--- a/templates/iac-sast.yml
+++ b/templates/iac-sast.yml
@ -0,0 +1,38 @@
 # Component created based on GitLab's IAC SAST Scanning template
 # Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/
 spec:
    inputs:
        stage:
            default: test
        excluded_paths:
            default: "spec, test, tests, tmp"
        excluded_analyzers:
            default: ""
        image_prefix:
            default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
        image_suffix:
            default: ""
        search_max_depth:
            default: 4
        image_tag:
            default: 6
 ---
 kics-iac-sast:
  stage: $[[ inputs.stage ]]
  image:
    name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
  variables:
    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
  script:
    - /analyzer run
  artifacts:
    access: 'developer'
    reports:
      sast: gl-sast-report.json
  allow_failure: true
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kics/'
      when: never
    - if: $CI_COMMIT_BRANCH
--- a/templates/sast.yml
+++ b/templates/sast.yml
@ -5,7 +5,7 @@ spec:
    image_prefix:
      default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
    image_tag:
-      default: '5'
+      default: '6'
    image_suffix:
      default: ""
    excluded_analyzers:
@ -16,8 +16,14 @@ spec:
      default: '4'
    run_kubesec_sast:
      default: 'false'
    run_advanced_sast:
      default: false
      type: boolean
    include_experimental:
      default: 'false'
    ff_glas_enable_php_support:
      default: true
      type: boolean
 ---
 .sast-analyzer:
  stage: $[[ inputs.stage ]]
@ -27,10 +33,12 @@ spec:
  # E.g. SEARCH_MAX_DEPTH is overridden in some analyzers. We should pass the input instead.
  variables:
    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
-    SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]]
+    DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]]
    SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS"
  script:
    - /analyzer run
  artifacts:
    access: 'developer'
    reports:
      sast: gl-sast-report.json
@ -43,6 +51,99 @@ spec:
  rules:
    - when: never
 .gitlab-advanced-sast-exist-rules:
  exists:
    - '**/*.py'
    - '**/*.go'
    - '**/*.java'
    - '**/*.jsp'
    - '**/*.js'
    - '**/*.jsx'
    - '**/*.ts'
    - '**/*.tsx'
    - '**/*.cjs'
    - '**/*.mjs'
    - '**/*.cs'
    - '**/*.rb'
    - '**/*.php'
 .semgrep-with-advanced-sast-exist-rules:
  exists:
    - '**/*.c'
    - '**/*.cc'
    - '**/*.cpp'
    - '**/*.c++'
    - '**/*.cp'
    - '**/*.cxx'
    - '**/*.h'
    - '**/*.hpp'
    - '**/*.scala'
    - '**/*.sc'
    - '**/*.php'
    - '**/*.swift'
    - '**/*.m'
    - '**/*.kt'
    - '**/*.properties'
    - '**/application*.yml'
    - '**/bootstrap*.yml'
    - '**/application*.yaml'
    - '**/bootstrap*.yaml'
 .semgrep-exist-rules:
  exists:
    - '**/*.py'
    - '**/*.js'
    - '**/*.jsx'
    - '**/*.ts'
    - '**/*.tsx'
    - '**/*.c'
    - '**/*.cc'
    - '**/*.cpp'
    - '**/*.c++'
    - '**/*.cp'
    - '**/*.cxx'
    - '**/*.h'
    - '**/*.hpp'
    - '**/*.go'
    - '**/*.java'
    - '**/*.cs'
    - '**/*.scala'
    - '**/*.sc'
    - '**/*.php'
    - '**/*.swift'
    - '**/*.m'
    - '**/*.rb'
    - '**/*.kt'
    - '**/*.cjs'
    - '**/*.mjs'
    - '**/*.properties'
    - '**/application*.yml'
    - '**/bootstrap*.yml'
    - '**/application*.yaml'
    - '**/bootstrap*.yaml'
 gitlab-advanced-sast:
  extends: .sast-analyzer
  image:
    name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]"
  variables:
    FF_GLAS_ENABLE_PHP_SUPPORT: "$[[ inputs.ff_glas_enable_php_support ]]"
    SAST_ANALYZER_IMAGE_TAG: 2
    SEARCH_MAX_DEPTH: 20
  cache:
    key: "scan-metrics-$CI_COMMIT_REF_SLUG"
    fallback_keys:
      - "scan-metrics-$CI_DEFAULT_BRANCH"
    paths:
      - "scan_metrics.csv"
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/'
      when: never
    - if: '"$[[ inputs.run_advanced_sast ]]" != "true"'
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/
      exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
 brakeman-sast:
  extends: .deprecated-16.8
@ -100,30 +201,33 @@ semgrep-sast:
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
      when: never
    # When gitlab-advanced-sast runs with PHP support enabled, exclude the `*.php` extension, as well as other files already scanned by gitlab-advanced-sast
    - if: '$CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
          "$[[ inputs.run_advanced_sast ]]" == "true" &&
          "$[[ inputs.ff_glas_enable_php_support ]]" == "true"'
      variables:
        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb, **/*.php"
      exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
    # When gitlab-advanced-sast runs but PHP support is disabled, exclude files already scanned by gitlab-advanced-sast
    - if: '$CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
          "$[[ inputs.run_advanced_sast ]]" == "true" &&
          "$[[ inputs.ff_glas_enable_php_support ]]" != "true"'
      variables:
        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb"
      exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
    # Fallback when advanced SAST covers everything
    - if: '$CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
          "$[[ inputs.run_advanced_sast ]]" == "true"'
      when: never
    # Default case - run for all supported files
    - if: $CI_COMMIT_BRANCH
-      exists:
+      exists: !reference [.semgrep-exist-rules, exists]
        - '**/*.py'
        - '**/*.js'
        - '**/*.jsx'
        - '**/*.ts'
        - '**/*.tsx'
        - '**/*.c'
        - '**/*.cc'
        - '**/*.cpp'
        - '**/*.c++'
        - '**/*.cp'
        - '**/*.cxx'
        - '**/*.go'
        - '**/*.java'
        - '**/*.html'
        - '**/*.cs'
        - '**/*.scala'
        - '**/*.sc'
        - '**/*.php'
        - '**/*.swift'
        - '**/*.m'
        - '**/*.rb'
        - '**/*.kt'
 sobelow-sast:
  extends: .sast-analyzer
Author	SHA1	Message	Date
Adam Cohen	3f2b327a85	Merge branch 'hyan/fix-iac-sast' into 'main' Fix syntax error in iac-sast.yml See merge request components/sast!26	2025-06-03 11:27:24 +10:00
hyan@gitlab.com	8ce5c87369	Fix	2025-06-03 10:54:02 +10:00
Hua Yan	164e1f07ad	Try fix	2025-06-03 10:46:50 +10:00
Julian Thome	ef9a281ea8	Merge branch 'hyan/fix-iac-sast-typo' into 'main' Fix a typo in iac-sast.yml See merge request components/sast!25	2025-06-02 11:23:50 +02:00
Julian Thome	9c40ccd0f5	Merge branch 'philipcunningham-make-php-support-available-in-glas-523657' into 'main' Add PHP language support to gitlab-advanced-sast See merge request components/sast!21	2025-06-02 10:52:33 +02:00
Philip Cunningham	11e99e2111	Add PHP language support to gitlab-advanced-sast	2025-06-02 10:52:33 +02:00
Hua Yan	367e3f3989	Fix typo	2025-06-02 10:27:26 +10:00
Adam Cohen	8c3e0d154d	Merge branch 'iac-kics-sast' into 'main' Added KICS IaC Scanner See merge request components/sast!23	2025-05-28 22:44:48 +10:00
Rob Jackson	ab29b14503	Added KICS IaC Scanner	2025-05-28 22:44:47 +10:00
Hua Yan	5758da0696	Merge branch 'hyan/glas-multicore' into 'main' Support profiling via cache for GLAS multicore workload balancing See merge request components/sast!22	2025-04-29 17:28:17 +10:00
Thiago Figueiró	7f7984b96d	Merge branch 'hyan/sast-18.0' into 'main' Bump SAST analyser major version for 18.0 See merge request components/sast!24	2025-04-28 13:49:41 +10:00
hyan@gitlab.com	70e2583135	Bump analyser versions for 18.0	2025-04-28 13:30:50 +10:00
Hua Yan	8c5526b0f4	Set path as "scan_metrics.csv"	2025-04-23 13:01:09 +10:00
hyan@gitlab.com	4ea446f709	Improve cache	2025-04-08 10:57:15 +10:00
hyan@gitlab.com	c6ea9d4f34	Test GLAS multicore	2025-04-04 11:29:31 +11:00
hyan@gitlab.com	446d4146f5	Test GLAS multicore	2025-04-04 10:51:29 +11:00
Julian Thome	6666b112b4	Merge branch 'julianthome/exists-patterns' into 'main' Refine exists patterns in components template See merge request components/sast!20	2025-03-17 15:06:27 +01:00
Julian Thome	2919a04298	Refine exists patterns in components template	2025-03-17 15:06:27 +01:00
Julian Thome	373f004f45	Merge branch 'julianthome/add-new-extensions' into 'main' Add newly supported file extensions yml, .properties See merge request components/sast!19	2025-03-11 09:51:42 +01:00
Julian Thome	ca92338af7	Add newly supported file extensions yml, .properties	2025-03-04 11:03:24 +00:00
Dov Hershkovitch	b3beb90502	Merge branch 'add-license-file' into 'main' Add LICENSE file See merge request components/sast!16	2025-01-27 10:16:35 +00:00
Ahmed Hemdan	ca69838c0f	Add LICENSE	2025-01-27 10:26:44 +01:00
Meir Benayoun	886b6b67bf	Merge branch 'advanced-sast' into 'main' Add support for advanced sast Closes #4 See merge request components/sast!15	2024-10-01 20:24:04 +00:00
Duncan Macleod	6cf357976e	Add support for advanced sast	2024-10-01 20:24:04 +00:00
Craig Smith	e51eb34e0f	Merge branch 'add_additional_semgrep_types' into 'main' Update sast.yml to match Jobs/SAST.gitlab-ci.yml exists See merge request components/sast!14	2024-07-30 00:43:23 +00:00
Isaac Dawson	d2b153a0ea	Update sast.yml to match Jobs/SAST.gitlab-ci.yml exists	2024-07-29 03:54:31 +00:00
Craig Smith	60f39f4ed4	Merge branch 'tkopel/update-report-access' into 'main' Restricting access to reports See merge request components/sast!13	2024-07-28 22:02:35 +00:00
Tal Kopel	15ceb61e98	Restricting access to reports	2024-07-28 10:58:34 +00:00
Tal Kopel	ff24d9f354	Merge branch 'tkopel/add-cjs-mjs-to-ci-component' into 'main' Adds .cjs & .mjs matching support See merge request components/sast!12	2024-07-16 16:03:45 +00:00
Tal Kopel	ab9a7d6861	Update file sast.yml	2024-07-16 10:18:20 +00:00