vor/sast
1
0
Fork 0
mirror of https://gitlab.com/components/sast.git synced 2025-06-30 07:28:29 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: vor:8c3e0d154d90cf8a35cb26c967cae0a240b221ba
Branches Tags
vor:main
vor:add-clangsa
vor:remove-inputs-from-readme
vor:514659-enable-gitlab-advanced-sast-by-default
vor:advanced-sast
vor:3.0.0
vor:2.1.0
vor:2.0.2
vor:2.0.1
vor:2.0.0
vor:1.1.2
vor:1.1.1
vor:1.1.0
vor:1.0.1
vor:1.0
vor:0.1
...
compare: vor:ef9a281ea83df6bb443d5da6baf56e3ee27ddde8
Branches Tags
vor:add-clangsa
vor:main
vor:remove-inputs-from-readme
vor:514659-enable-gitlab-advanced-sast-by-default
vor:advanced-sast
vor:3.0.0
vor:2.1.0
vor:2.0.2
vor:2.0.1
vor:2.0.0
vor:1.1.2
vor:1.1.1
vor:1.1.0
vor:1.0.1
vor:1.0
vor:0.1

4 commits
8c3e0d154d ... ef9a281ea8

Author SHA1 Message Date
Julian Thome
ef9a281ea8 Merge branch 'hyan/fix-iac-sast-typo' into 'main' 
Fix a typo in iac-sast.yml

See merge request components/sast!25
 2025-06-02 11:23:50 +02:00
Julian Thome
9c40ccd0f5 Merge branch 'philipcunningham-make-php-support-available-in-glas-523657' into 'main' 
Add PHP language support to gitlab-advanced-sast

See merge request components/sast!21
 2025-06-02 10:52:33 +02:00
Philip Cunningham
11e99e2111 Add PHP language support to gitlab-advanced-sast 2025-06-02 10:52:33 +02:00
Hua Yan
367e3f3989 Fix typo 2025-06-02 10:27:26 +10:00
3 changed files with 96 additions and 71 deletions
Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -50,8 +50,8 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit
| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude |
| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span |
| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job |
| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) |
| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) |
| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) |
| `ff_glas_enable_php_support` | `"true"` | Set it to `"false"` to disable [PHP support for GLAS](https://gitlab.com/groups/gitlab-org/-/epics/14273) |
## Infrastructure as Code (IaC) Scanning

2
templates/iac-sast.yml
View file

@ -12,7 +12,7 @@ spec:
image_prefix:
default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
image_suffix:
dafault: ""
default: ""
search_max_depth:
default: 4
image_tag:

161
templates/sast.yml
View file

@ -21,6 +21,9 @@ spec:
type: boolean
include_experimental:
default: 'false'
ff_glas_enable_php_support:
default: true
type: boolean
---
.sast-analyzer:
stage: $[[ inputs.stage ]]
@ -48,11 +51,83 @@ spec:
rules:
- when: never
.gitlab-advanced-sast-exist-rules:
exists:
- '**/*.py'
- '**/*.go'
- '**/*.java'
- '**/*.jsp'
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
- '**/*.cjs'
- '**/*.mjs'
- '**/*.cs'
- '**/*.rb'
- '**/*.php'
.semgrep-with-advanced-sast-exist-rules:
exists:
- '**/*.c'
- '**/*.cc'
- '**/*.cpp'
- '**/*.c++'
- '**/*.cp'
- '**/*.cxx'
- '**/*.h'
- '**/*.hpp'
- '**/*.scala'
- '**/*.sc'
- '**/*.php'
- '**/*.swift'
- '**/*.m'
- '**/*.kt'
- '**/*.properties'
- '**/application*.yml'
- '**/bootstrap*.yml'
- '**/application*.yaml'
- '**/bootstrap*.yaml'
.semgrep-exist-rules:
exists:
- '**/*.py'
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
- '**/*.c'
- '**/*.cc'
- '**/*.cpp'
- '**/*.c++'
- '**/*.cp'
- '**/*.cxx'
- '**/*.h'
- '**/*.hpp'
- '**/*.go'
- '**/*.java'
- '**/*.cs'
- '**/*.scala'
- '**/*.sc'
- '**/*.php'
- '**/*.swift'
- '**/*.m'
- '**/*.rb'
- '**/*.kt'
- '**/*.cjs'
- '**/*.mjs'
- '**/*.properties'
- '**/application*.yml'
- '**/bootstrap*.yml'
- '**/application*.yaml'
- '**/bootstrap*.yaml'
gitlab-advanced-sast:
extends: .sast-analyzer
image:
name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]"
variables:
FF_GLAS_ENABLE_PHP_SUPPORT: "$[[ inputs.ff_glas_enable_php_support ]]"
SAST_ANALYZER_IMAGE_TAG: 2
SEARCH_MAX_DEPTH: 20
cache:
@ -68,19 +143,7 @@ gitlab-advanced-sast:
when: never
- if: $CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/
exists:
- '**/*.py'
- '**/*.go'
- '**/*.java'
- '**/*.jsp'
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
- '**/*.cjs'
- '**/*.mjs'
- '**/*.cs'
- '**/*.rb'
exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
brakeman-sast:
extends: .deprecated-16.8
@ -138,72 +201,34 @@ semgrep-sast:
rules:
- if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
when: never
# In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast
# When gitlab-advanced-sast runs with PHP support enabled, exclude the `*.php` extension, as well as other files already scanned by gitlab-advanced-sast
- if: '$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" == "true"'
"$[[ inputs.run_advanced_sast ]]" == "true" &&
"$[[ inputs.ff_glas_enable_php_support ]]" == "true"'
variables:
SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb, **/*.php"
exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
# When gitlab-advanced-sast runs but PHP support is disabled, exclude files already scanned by gitlab-advanced-sast
- if: '$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" == "true" &&
"$[[ inputs.ff_glas_enable_php_support ]]" != "true"'
variables:
SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb"
exists:
- '**/*.c'
- '**/*.cc'
- '**/*.cpp'
- '**/*.c++'
- '**/*.cp'
- '**/*.cxx'
- '**/*.h'
- '**/*.hpp'
- '**/*.scala'
- '**/*.sc'
- '**/*.php'
- '**/*.swift'
- '**/*.m'
- '**/*.kt'
- '**/*.properties'
- '**/application*.yml'
- '**/bootstrap*.yml'
- '**/application*.yaml'
- '**/bootstrap*.yaml'
## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
# Fallback when advanced SAST covers everything
- if: '$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
"$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
"$[[ inputs.run_advanced_sast ]]" == "true"'
when: never
# Default case - run for all supported files
- if: $CI_COMMIT_BRANCH
exists:
- '**/*.py'
- '**/*.js'
- '**/*.jsx'
- '**/*.ts'
- '**/*.tsx'
- '**/*.c'
- '**/*.cc'
- '**/*.cpp'
- '**/*.c++'
- '**/*.cp'
- '**/*.cxx'
- '**/*.h'
- '**/*.hpp'
- '**/*.go'
- '**/*.java'
- '**/*.cs'
- '**/*.scala'
- '**/*.sc'
- '**/*.php'
- '**/*.swift'
- '**/*.m'
- '**/*.rb'
- '**/*.kt'
- '**/*.cjs'
- '**/*.mjs'
- '**/*.properties'
- '**/application*.yml'
- '**/bootstrap*.yml'
- '**/application*.yaml'
- '**/bootstrap*.yaml'
exists: !reference [.semgrep-exist-rules, exists]
sobelow-sast:
extends: .sast-analyzer
image: