Merge branch 'hyan/fix-iac-sast' into 'main'

Fix syntax error in iac-sast.yml See merge request components/sast!26
Fix
2025-06-30 15:38:29 +02:00 · 2025-06-03 11:27:24 +10:00 · 2025-06-03 10:54:02 +10:00 · 2025-06-03 10:46:50 +10:00 · 2025-06-02 11:23:50 +02:00 · 2025-06-02 10:52:33 +02:00
3 changed files with 187 additions and 81 deletions
--- a/README.md
+++ b/README.md
@ -1,11 +1,17 @@
 # SAST (Static Application Security Testing)
-Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/sast/
+This project provides components for the use of Static Application Security Testing as well as Infrastructure as Code scanning. 
-Configure SAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
+[[_TOC_]]
 List of available variables: https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables
-## Usage
+## Static Application Security Testing (SAST)
 ### Documentation References
 Configuration for SAST can be performed through [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of [Inputs](https://docs.gitlab.com/ci/inputs/). 
 More information about GitLab SAST is available within [GitLab documentation](https://docs.gitlab.com/ee/user/application_security/sast/), along with the [available variables](https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables).
 ### Usage
 You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
 keyword.
@ -35,17 +41,48 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit
 ### Inputs
 | Input | Default value | Description |
-| ----- | ------------- | ----------- |
+| ----- | ------------- | ----------- | 
-| `stage` | `test`      | The stage where you want the job to be added |
+| `stage` | `test`      | The stage where you want the job to be added | 
-| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from |
+| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | 
-| `image_tag` | `4` | Tag of the Docker image to use |
+| `image_tag` | `4` | Tag of the Docker image to use | 
 | `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer |
-| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run |
+| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | 
-| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
+| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | 
 | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
 | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job  |
-| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) ]
+| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) |
-| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) |
+| `ff_glas_enable_php_support` | `"true"` | Set it to `"false"` to disable [PHP support for GLAS](https://gitlab.com/groups/gitlab-org/-/epics/14273) |
 ## Infrastructure as Code (IaC) Scanning
 ### Documentation References
 Configuration for IaC scanning can be performed through [CI/CD Variables](https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of [Inputs](https://docs.gitlab.com/ci/inputs/). 
 More information about GitLab Infrastructure as Code scanning is available within [GitLab documentation](https://docs.gitlab.com/user/application_security/iac_scanning/). 
 ### Usage
 You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
 keyword.
 ```yaml
 include:
  - component: gitlab.com/components/sast/iac-sast@<VERSION>
 ```
 where `<VERSION>` is the latest released tag or `main`.
 ### Inputs
 | Input | Default value | Description |
 | ----- | ------------- | ----------- | 
 | `stage` | `test`      | The stage where you want the job to be added | 
 | `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | 
 | `image_tag` | `6` | Tag of the Docker image to use | 
 | `image_suffix` | `""` | Suffix added to image. |
 | `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
 | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
 ## Contribute
--- a/templates/iac-sast.yml
+++ b/templates/iac-sast.yml
@ -0,0 +1,38 @@
 # Component created based on GitLab's IAC SAST Scanning template
 # Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/iac_scanning/
 spec:
    inputs:
        stage:
            default: test
        excluded_paths:
            default: "spec, test, tests, tmp"
        excluded_analyzers:
            default: ""
        image_prefix:
            default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
        image_suffix:
            default: ""
        search_max_depth:
            default: 4
        image_tag:
            default: 6
 ---
 kics-iac-sast:
  stage: $[[ inputs.stage ]]
  image:
    name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
  variables:
    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
  script:
    - /analyzer run
  artifacts:
    access: 'developer'
    reports:
      sast: gl-sast-report.json
  allow_failure: true
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kics/'
      when: never
    - if: $CI_COMMIT_BRANCH
--- a/templates/sast.yml
+++ b/templates/sast.yml
@ -21,6 +21,9 @@ spec:
      type: boolean
    include_experimental:
      default: 'false'
    ff_glas_enable_php_support:
      default: true
      type: boolean
 ---
 .sast-analyzer:
  stage: $[[ inputs.stage ]]
@ -48,13 +51,91 @@ spec:
  rules:
    - when: never
 .gitlab-advanced-sast-exist-rules:
  exists:
    - '**/*.py'
    - '**/*.go'
    - '**/*.java'
    - '**/*.jsp'
    - '**/*.js'
    - '**/*.jsx'
    - '**/*.ts'
    - '**/*.tsx'
    - '**/*.cjs'
    - '**/*.mjs'
    - '**/*.cs'
    - '**/*.rb'
    - '**/*.php'
 .semgrep-with-advanced-sast-exist-rules:
  exists:
    - '**/*.c'
    - '**/*.cc'
    - '**/*.cpp'
    - '**/*.c++'
    - '**/*.cp'
    - '**/*.cxx'
    - '**/*.h'
    - '**/*.hpp'
    - '**/*.scala'
    - '**/*.sc'
    - '**/*.php'
    - '**/*.swift'
    - '**/*.m'
    - '**/*.kt'
    - '**/*.properties'
    - '**/application*.yml'
    - '**/bootstrap*.yml'
    - '**/application*.yaml'
    - '**/bootstrap*.yaml'
 .semgrep-exist-rules:
  exists:
    - '**/*.py'
    - '**/*.js'
    - '**/*.jsx'
    - '**/*.ts'
    - '**/*.tsx'
    - '**/*.c'
    - '**/*.cc'
    - '**/*.cpp'
    - '**/*.c++'
    - '**/*.cp'
    - '**/*.cxx'
    - '**/*.h'
    - '**/*.hpp'
    - '**/*.go'
    - '**/*.java'
    - '**/*.cs'
    - '**/*.scala'
    - '**/*.sc'
    - '**/*.php'
    - '**/*.swift'
    - '**/*.m'
    - '**/*.rb'
    - '**/*.kt'
    - '**/*.cjs'
    - '**/*.mjs'
    - '**/*.properties'
    - '**/application*.yml'
    - '**/bootstrap*.yml'
    - '**/application*.yaml'
    - '**/bootstrap*.yaml'
 gitlab-advanced-sast:
  extends: .sast-analyzer
  image:
    name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]"
  variables:
    FF_GLAS_ENABLE_PHP_SUPPORT: "$[[ inputs.ff_glas_enable_php_support ]]"
    SAST_ANALYZER_IMAGE_TAG: 2
    SEARCH_MAX_DEPTH: 20
  cache:
    key: "scan-metrics-$CI_COMMIT_REF_SLUG"
    fallback_keys:
      - "scan-metrics-$CI_DEFAULT_BRANCH"
    paths:
      - "scan_metrics.csv"
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/'
      when: never
@ -62,19 +143,7 @@ gitlab-advanced-sast:
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/
-      exists:
+      exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
        - '**/*.py'
        - '**/*.go'
        - '**/*.java'
        - '**/*.jsp'
        - '**/*.js'
        - '**/*.jsx'
        - '**/*.ts'
        - '**/*.tsx'
        - '**/*.cjs'
        - '**/*.mjs'
        - '**/*.cs'
        - '**/*.rb'
 brakeman-sast:
  extends: .deprecated-16.8
@ -132,72 +201,34 @@ semgrep-sast:
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
      when: never
-    # In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast
+    # When gitlab-advanced-sast runs with PHP support enabled, exclude the `*.php` extension, as well as other files already scanned by gitlab-advanced-sast
    - if: '$CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
-          "$[[ inputs.run_advanced_sast ]]" == "true"'
+          "$[[ inputs.run_advanced_sast ]]" == "true" &&
          "$[[ inputs.ff_glas_enable_php_support ]]" == "true"'
      variables:
        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb, **/*.php"
      exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
    # When gitlab-advanced-sast runs but PHP support is disabled, exclude files already scanned by gitlab-advanced-sast
    - if: '$CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
          "$[[ inputs.run_advanced_sast ]]" == "true" &&
          "$[[ inputs.ff_glas_enable_php_support ]]" != "true"'
      variables:
        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb"
-      exists:
+      exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
-        - '**/*.c'
+    # Fallback when advanced SAST covers everything
        - '**/*.cc'
        - '**/*.cpp'
        - '**/*.c++'
        - '**/*.cp'
        - '**/*.cxx'
        - '**/*.h'
        - '**/*.hpp'
        - '**/*.scala'
        - '**/*.sc'
        - '**/*.php'
        - '**/*.swift'
        - '**/*.m'
        - '**/*.kt'
        - '**/*.properties'
        - '**/application*.yml'
        - '**/bootstrap*.yml'
        - '**/application*.yaml'
        - '**/bootstrap*.yaml'
    ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
    - if: '$CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
          "$[[ inputs.run_advanced_sast ]]" == "true"'
      when: never
    # Default case - run for all supported files
    - if: $CI_COMMIT_BRANCH
-      exists:
+      exists: !reference [.semgrep-exist-rules, exists]
-        - '**/*.py'
+
        - '**/*.js'
        - '**/*.jsx'
        - '**/*.ts'
        - '**/*.tsx'
        - '**/*.c'
        - '**/*.cc'
        - '**/*.cpp'
        - '**/*.c++'
        - '**/*.cp'
        - '**/*.cxx'
        - '**/*.h'
        - '**/*.hpp'
        - '**/*.go'
        - '**/*.java'
        - '**/*.cs'
        - '**/*.scala'
        - '**/*.sc'
        - '**/*.php'
        - '**/*.swift'
        - '**/*.m'
        - '**/*.rb'
        - '**/*.kt'
        - '**/*.cjs'
        - '**/*.mjs'
        - '**/*.properties'
        - '**/application*.yml'
        - '**/bootstrap*.yml'
        - '**/application*.yaml'
        - '**/bootstrap*.yaml'
 sobelow-sast:
  extends: .sast-analyzer
  image:
Author	SHA1	Message	Date
Adam Cohen	3f2b327a85	Merge branch 'hyan/fix-iac-sast' into 'main' Fix syntax error in iac-sast.yml See merge request components/sast!26	2025-06-03 11:27:24 +10:00
hyan@gitlab.com	8ce5c87369	Fix	2025-06-03 10:54:02 +10:00
Hua Yan	164e1f07ad	Try fix	2025-06-03 10:46:50 +10:00
Julian Thome	ef9a281ea8	Merge branch 'hyan/fix-iac-sast-typo' into 'main' Fix a typo in iac-sast.yml See merge request components/sast!25	2025-06-02 11:23:50 +02:00
Julian Thome	9c40ccd0f5	Merge branch 'philipcunningham-make-php-support-available-in-glas-523657' into 'main' Add PHP language support to gitlab-advanced-sast See merge request components/sast!21	2025-06-02 10:52:33 +02:00
Philip Cunningham	11e99e2111	Add PHP language support to gitlab-advanced-sast	2025-06-02 10:52:33 +02:00
Hua Yan	367e3f3989	Fix typo	2025-06-02 10:27:26 +10:00
Adam Cohen	8c3e0d154d	Merge branch 'iac-kics-sast' into 'main' Added KICS IaC Scanner See merge request components/sast!23	2025-05-28 22:44:48 +10:00
Rob Jackson	ab29b14503	Added KICS IaC Scanner	2025-05-28 22:44:47 +10:00
Hua Yan	5758da0696	Merge branch 'hyan/glas-multicore' into 'main' Support profiling via cache for GLAS multicore workload balancing See merge request components/sast!22	2025-04-29 17:28:17 +10:00
Hua Yan	8c5526b0f4	Set path as "scan_metrics.csv"	2025-04-23 13:01:09 +10:00
hyan@gitlab.com	4ea446f709	Improve cache	2025-04-08 10:57:15 +10:00
hyan@gitlab.com	c6ea9d4f34	Test GLAS multicore	2025-04-04 11:29:31 +11:00
hyan@gitlab.com	446d4146f5	Test GLAS multicore	2025-04-04 10:51:29 +11:00