From 446d4146f594e3a4373e66b82bbd55cfc76f4ca6 Mon Sep 17 00:00:00 2001
From: "hyan@gitlab.com" <hyan@gitlab.com>
Date: Thu, 27 Mar 2025 16:51:36 +1100
Subject: [PATCH 1/8] Test GLAS multicore

---
 templates/sast.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/templates/sast.yml b/templates/sast.yml
index 6dad115..b8c33fe 100644
--- a/templates/sast.yml
+++ b/templates/sast.yml
@@ -55,6 +55,20 @@ gitlab-advanced-sast:
   variables:
     SAST_ANALYZER_IMAGE_TAG: 1
     SEARCH_MAX_DEPTH: 20
+    SCAN_METRICS_FILE: scan_metrics.csv
+  cache:
+    key: "$CI_COMMIT_REF_SLUG-scan-metrics"
+    paths:
+      - "$SCAN_METRICS_FILE"
+    policy: pull-push
+  artifacts:
+    access: 'developer'
+    reports:
+      sast: gl-sast-report.json
+    paths:
+      - "$SCAN_METRICS_FILE"
+    when: always
+    expire_in: 7 days
   rules:
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/'
       when: never

From c6ea9d4f34116c8f2b4f4efc58dd3846ea1d20f1 Mon Sep 17 00:00:00 2001
From: "hyan@gitlab.com" <hyan@gitlab.com>
Date: Fri, 4 Apr 2025 11:29:31 +1100
Subject: [PATCH 2/8] Test GLAS multicore

---
 templates/sast.yml | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/templates/sast.yml b/templates/sast.yml
index b8c33fe..cafc8f1 100644
--- a/templates/sast.yml
+++ b/templates/sast.yml
@@ -60,15 +60,6 @@ gitlab-advanced-sast:
     key: "$CI_COMMIT_REF_SLUG-scan-metrics"
     paths:
       - "$SCAN_METRICS_FILE"
-    policy: pull-push
-  artifacts:
-    access: 'developer'
-    reports:
-      sast: gl-sast-report.json
-    paths:
-      - "$SCAN_METRICS_FILE"
-    when: always
-    expire_in: 7 days
   rules:
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/'
       when: never

From 4ea446f709bbe776fef6fdb8d7d8b5b4356bfe48 Mon Sep 17 00:00:00 2001
From: "hyan@gitlab.com" <hyan@gitlab.com>
Date: Tue, 8 Apr 2025 10:57:15 +1000
Subject: [PATCH 3/8] Improve cache

---
 templates/sast.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/templates/sast.yml b/templates/sast.yml
index cafc8f1..0d0145d 100644
--- a/templates/sast.yml
+++ b/templates/sast.yml
@@ -57,7 +57,9 @@ gitlab-advanced-sast:
     SEARCH_MAX_DEPTH: 20
     SCAN_METRICS_FILE: scan_metrics.csv
   cache:
-    key: "$CI_COMMIT_REF_SLUG-scan-metrics"
+    key: "scan-metrics-$CI_COMMIT_REF_SLUG"
+    fallback_keys:
+      - "scan-metrics-$CI_DEFAULT_BRANCH"
     paths:
       - "$SCAN_METRICS_FILE"
   rules:

From 8c5526b0f42c4f5f709c80360b7d3b65e9c9c975 Mon Sep 17 00:00:00 2001
From: Hua Yan <hyan@gitlab.com>
Date: Wed, 23 Apr 2025 13:01:09 +1000
Subject: [PATCH 4/8] Set path as "scan_metrics.csv"

---
 templates/sast.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/templates/sast.yml b/templates/sast.yml
index 0d0145d..d16055d 100644
--- a/templates/sast.yml
+++ b/templates/sast.yml
@@ -55,13 +55,12 @@ gitlab-advanced-sast:
   variables:
     SAST_ANALYZER_IMAGE_TAG: 1
     SEARCH_MAX_DEPTH: 20
-    SCAN_METRICS_FILE: scan_metrics.csv
   cache:
     key: "scan-metrics-$CI_COMMIT_REF_SLUG"
     fallback_keys:
       - "scan-metrics-$CI_DEFAULT_BRANCH"
     paths:
-      - "$SCAN_METRICS_FILE"
+      - "scan_metrics.csv"
   rules:
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/'
       when: never

From 70e258313531c24ed6edbac44f9adfc5caae9450 Mon Sep 17 00:00:00 2001
From: "hyan@gitlab.com" <hyan@gitlab.com>
Date: Mon, 28 Apr 2025 13:30:50 +1000
Subject: [PATCH 5/8] Bump analyser versions for 18.0

---
 templates/sast.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/sast.yml b/templates/sast.yml
index 6dad115..028d190 100644
--- a/templates/sast.yml
+++ b/templates/sast.yml
@@ -5,7 +5,7 @@ spec:
     image_prefix:
       default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
     image_tag:
-      default: '5'
+      default: '6'
     image_suffix:
       default: ""
     excluded_analyzers:
@@ -53,7 +53,7 @@ gitlab-advanced-sast:
   image:
     name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]"
   variables:
-    SAST_ANALYZER_IMAGE_TAG: 1
+    SAST_ANALYZER_IMAGE_TAG: 2
     SEARCH_MAX_DEPTH: 20
   rules:
     - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/'

From 2a492122e246b890b4ec07988800a55acffc4055 Mon Sep 17 00:00:00 2001
From: Rob Jackson <rjackson@gitlab.com>
Date: Tue, 20 May 2025 22:03:35 -0400
Subject: [PATCH 6/8] Apply 1 suggestion(s) to 1 file(s)

Co-authored-by: Adam Cohen <acohen@gitlab.com>
---
 templates/iac-kics-sast.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/iac-kics-sast.yml b/templates/iac-kics-sast.yml
index 3835b33..a07a2a8 100644
--- a/templates/iac-kics-sast.yml
+++ b/templates/iac-kics-sast.yml
@@ -9,7 +9,7 @@ spec:
             default: "spec, test, tests, tmp"
         excluded_analyzers:
             default: ""
-        analyzer_image:
+        image_prefix:
             default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
         search_max_depth:
             default: 4

From cf87e0da3836769907be5418e450652f382849a7 Mon Sep 17 00:00:00 2001
From: Rob Jackson <rjackson@gitlab.com>
Date: Tue, 20 May 2025 22:04:22 -0400
Subject: [PATCH 7/8] Apply 1 suggestion(s) to 1 file(s)

Co-authored-by: Adam Cohen <acohen@gitlab.com>
---
 templates/iac-kics-sast.yml | 21 +++++++--------------
 1 file changed, 7 insertions(+), 14 deletions(-)

diff --git a/templates/iac-kics-sast.yml b/templates/iac-kics-sast.yml
index a07a2a8..45302c6 100644
--- a/templates/iac-kics-sast.yml
+++ b/templates/iac-kics-sast.yml
@@ -17,26 +17,19 @@ spec:
             default: 6
 
 ---
-iac-sast:
+kics-iac-sast:
   stage: $[[ inputs.stage ]]
+  image:
+    name: "$[[ inputs.image_prefix ]]/kics:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
+  variables:
+    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
+  script:
+    - /analyzer run
   artifacts:
     access: 'developer'
     reports:
       sast: gl-sast-report.json
-  rules:
-    - when: never
-  # `rules` must be overridden explicitly by each child job
-  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
-  variables:
-    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
   allow_failure: true
-  script:
-    - /analyzer run
-
-kics-iac-sast:
-  extends: iac-sast
-  image:
-    name: "$[[ inputs.analyzer_image ]]/kics:$[[ inputs.image_tag ]]"
   rules:
     - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
       when: never

From 40ec68512df97291991e97e5dcf304accb78387f Mon Sep 17 00:00:00 2001
From: Rob Jackson <rjackson@gitlab.com>
Date: Tue, 20 May 2025 22:10:19 -0400
Subject: [PATCH 8/8] adding image suffix to keep inputs whole

---
 templates/iac-kics-sast.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/templates/iac-kics-sast.yml b/templates/iac-kics-sast.yml
index 45302c6..ff6e530 100644
--- a/templates/iac-kics-sast.yml
+++ b/templates/iac-kics-sast.yml
@@ -11,6 +11,8 @@ spec:
             default: ""
         image_prefix:
             default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
+        image_suffix:
+            dafault: ""
         search_max_depth:
             default: 4
         image_tag: