From 11e99e2111285791a531e5d3665122251babc267 Mon Sep 17 00:00:00 2001
From: Philip Cunningham <pcunningham@gitlab.com>
Date: Mon, 2 Jun 2025 09:52:33 +0100
Subject: [PATCH] Add PHP language support to gitlab-advanced-sast

---
 README.md          |   4 +-
 templates/sast.yml | 161 ++++++++++++++++++++++++++-------------------
 2 files changed, 95 insertions(+), 70 deletions(-)

diff --git a/README.md b/README.md
index c6a0302..ed7a4de 100644
--- a/README.md
+++ b/README.md
@@ -50,8 +50,8 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit
 | `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | 
 | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
 | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job  |
-| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | 
-| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | 
+| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) |
+| `ff_glas_enable_php_support` | `"true"` | Set it to `"false"` to disable [PHP support for GLAS](https://gitlab.com/groups/gitlab-org/-/epics/14273) |
 
 ## Infrastructure as Code (IaC) Scanning
 
diff --git a/templates/sast.yml b/templates/sast.yml
index ccb3eec..64e7743 100644
--- a/templates/sast.yml
+++ b/templates/sast.yml
@@ -21,6 +21,9 @@ spec:
       type: boolean
     include_experimental:
       default: 'false'
+    ff_glas_enable_php_support:
+      default: true
+      type: boolean
 ---
 .sast-analyzer:
   stage: $[[ inputs.stage ]]
@@ -48,11 +51,83 @@ spec:
   rules:
     - when: never
 
+.gitlab-advanced-sast-exist-rules:
+  exists:
+    - '**/*.py'
+    - '**/*.go'
+    - '**/*.java'
+    - '**/*.jsp'
+    - '**/*.js'
+    - '**/*.jsx'
+    - '**/*.ts'
+    - '**/*.tsx'
+    - '**/*.cjs'
+    - '**/*.mjs'
+    - '**/*.cs'
+    - '**/*.rb'
+    - '**/*.php'
+
+.semgrep-with-advanced-sast-exist-rules:
+  exists:
+    - '**/*.c'
+    - '**/*.cc'
+    - '**/*.cpp'
+    - '**/*.c++'
+    - '**/*.cp'
+    - '**/*.cxx'
+    - '**/*.h'
+    - '**/*.hpp'
+    - '**/*.scala'
+    - '**/*.sc'
+    - '**/*.php'
+    - '**/*.swift'
+    - '**/*.m'
+    - '**/*.kt'
+    - '**/*.properties'
+    - '**/application*.yml'
+    - '**/bootstrap*.yml'
+    - '**/application*.yaml'
+    - '**/bootstrap*.yaml'
+
+.semgrep-exist-rules:
+  exists:
+    - '**/*.py'
+    - '**/*.js'
+    - '**/*.jsx'
+    - '**/*.ts'
+    - '**/*.tsx'
+    - '**/*.c'
+    - '**/*.cc'
+    - '**/*.cpp'
+    - '**/*.c++'
+    - '**/*.cp'
+    - '**/*.cxx'
+    - '**/*.h'
+    - '**/*.hpp'
+    - '**/*.go'
+    - '**/*.java'
+    - '**/*.cs'
+    - '**/*.scala'
+    - '**/*.sc'
+    - '**/*.php'
+    - '**/*.swift'
+    - '**/*.m'
+    - '**/*.rb'
+    - '**/*.kt'
+    - '**/*.cjs'
+    - '**/*.mjs'
+    - '**/*.properties'
+    - '**/application*.yml'
+    - '**/bootstrap*.yml'
+    - '**/application*.yaml'
+    - '**/bootstrap*.yaml'
+
 gitlab-advanced-sast:
   extends: .sast-analyzer
   image:
     name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]"
   variables:
+    FF_GLAS_ENABLE_PHP_SUPPORT: "$[[ inputs.ff_glas_enable_php_support ]]"
     SAST_ANALYZER_IMAGE_TAG: 2
     SEARCH_MAX_DEPTH: 20
   cache:
@@ -68,19 +143,7 @@ gitlab-advanced-sast:
       when: never
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bsast_advanced\b/
-      exists:
-        - '**/*.py'
-        - '**/*.go'
-        - '**/*.java'
-        - '**/*.jsp'
-        - '**/*.js'
-        - '**/*.jsx'
-        - '**/*.ts'
-        - '**/*.tsx'
-        - '**/*.cjs'
-        - '**/*.mjs'
-        - '**/*.cs'
-        - '**/*.rb'
+      exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
 
 brakeman-sast:
   extends: .deprecated-16.8
@@ -138,72 +201,34 @@ semgrep-sast:
   rules:
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
       when: never
-    # In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast
+    # When gitlab-advanced-sast runs with PHP support enabled, exclude the `*.php` extension, as well as other files already scanned by gitlab-advanced-sast
     - if: '$CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
           "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
-          "$[[ inputs.run_advanced_sast ]]" == "true"'
+          "$[[ inputs.run_advanced_sast ]]" == "true" &&
+          "$[[ inputs.ff_glas_enable_php_support ]]" == "true"'
+      variables:
+        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb, **/*.php"
+      exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
+    # When gitlab-advanced-sast runs but PHP support is disabled, exclude files already scanned by gitlab-advanced-sast
+    - if: '$CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
+          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
+          "$[[ inputs.run_advanced_sast ]]" == "true" &&
+          "$[[ inputs.ff_glas_enable_php_support ]]" != "true"'
       variables:
         SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb"
-      exists:
-        - '**/*.c'
-        - '**/*.cc'
-        - '**/*.cpp'
-        - '**/*.c++'
-        - '**/*.cp'
-        - '**/*.cxx'
-        - '**/*.h'
-        - '**/*.hpp'
-        - '**/*.scala'
-        - '**/*.sc'
-        - '**/*.php'
-        - '**/*.swift'
-        - '**/*.m'
-        - '**/*.kt'
-        - '**/*.properties'
-        - '**/application*.yml'
-        - '**/bootstrap*.yml'
-        - '**/application*.yaml'
-        - '**/bootstrap*.yaml'
-    ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
+      exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
+    # Fallback when advanced SAST covers everything
     - if: '$CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
           "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
           "$[[ inputs.run_advanced_sast ]]" == "true"'
       when: never
+    # Default case - run for all supported files
     - if: $CI_COMMIT_BRANCH
-      exists:
-        - '**/*.py'
-        - '**/*.js'
-        - '**/*.jsx'
-        - '**/*.ts'
-        - '**/*.tsx'
-        - '**/*.c'
-        - '**/*.cc'
-        - '**/*.cpp'
-        - '**/*.c++'
-        - '**/*.cp'
-        - '**/*.cxx'
-        - '**/*.h'
-        - '**/*.hpp'
-        - '**/*.go'
-        - '**/*.java'
-        - '**/*.cs'
-        - '**/*.scala'
-        - '**/*.sc'
-        - '**/*.php'
-        - '**/*.swift'
-        - '**/*.m'
-        - '**/*.rb'
-        - '**/*.kt'
-        - '**/*.cjs'
-        - '**/*.mjs'
-        - '**/*.properties'
-        - '**/application*.yml'
-        - '**/bootstrap*.yml'
-        - '**/application*.yaml'
-        - '**/bootstrap*.yaml'
-        
+      exists: !reference [.semgrep-exist-rules, exists]
+
 sobelow-sast:
   extends: .sast-analyzer
   image: