From 446d4146f594e3a4373e66b82bbd55cfc76f4ca6 Mon Sep 17 00:00:00 2001 From: "hyan@gitlab.com" Date: Thu, 27 Mar 2025 16:51:36 +1100 Subject: [PATCH 1/8] Test GLAS multicore --- templates/sast.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/templates/sast.yml b/templates/sast.yml index 6dad115..b8c33fe 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -55,6 +55,20 @@ gitlab-advanced-sast: variables: SAST_ANALYZER_IMAGE_TAG: 1 SEARCH_MAX_DEPTH: 20 + SCAN_METRICS_FILE: scan_metrics.csv + cache: + key: "$CI_COMMIT_REF_SLUG-scan-metrics" + paths: + - "$SCAN_METRICS_FILE" + policy: pull-push + artifacts: + access: 'developer' + reports: + sast: gl-sast-report.json + paths: + - "$SCAN_METRICS_FILE" + when: always + expire_in: 7 days rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/' when: never From c6ea9d4f34116c8f2b4f4efc58dd3846ea1d20f1 Mon Sep 17 00:00:00 2001 From: "hyan@gitlab.com" Date: Fri, 4 Apr 2025 11:29:31 +1100 Subject: [PATCH 2/8] Test GLAS multicore --- templates/sast.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/templates/sast.yml b/templates/sast.yml index b8c33fe..cafc8f1 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -60,15 +60,6 @@ gitlab-advanced-sast: key: "$CI_COMMIT_REF_SLUG-scan-metrics" paths: - "$SCAN_METRICS_FILE" - policy: pull-push - artifacts: - access: 'developer' - reports: - sast: gl-sast-report.json - paths: - - "$SCAN_METRICS_FILE" - when: always - expire_in: 7 days rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/' when: never From 4ea446f709bbe776fef6fdb8d7d8b5b4356bfe48 Mon Sep 17 00:00:00 2001 From: "hyan@gitlab.com" Date: Tue, 8 Apr 2025 10:57:15 +1000 Subject: [PATCH 3/8] Improve cache --- templates/sast.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/templates/sast.yml b/templates/sast.yml index cafc8f1..0d0145d 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -57,7 +57,9 @@ gitlab-advanced-sast: SEARCH_MAX_DEPTH: 20 SCAN_METRICS_FILE: scan_metrics.csv cache: - key: "$CI_COMMIT_REF_SLUG-scan-metrics" + key: "scan-metrics-$CI_COMMIT_REF_SLUG" + fallback_keys: + - "scan-metrics-$CI_DEFAULT_BRANCH" paths: - "$SCAN_METRICS_FILE" rules: From 8c5526b0f42c4f5f709c80360b7d3b65e9c9c975 Mon Sep 17 00:00:00 2001 From: Hua Yan Date: Wed, 23 Apr 2025 13:01:09 +1000 Subject: [PATCH 4/8] Set path as "scan_metrics.csv" --- templates/sast.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/templates/sast.yml b/templates/sast.yml index 0d0145d..d16055d 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -55,13 +55,12 @@ gitlab-advanced-sast: variables: SAST_ANALYZER_IMAGE_TAG: 1 SEARCH_MAX_DEPTH: 20 - SCAN_METRICS_FILE: scan_metrics.csv cache: key: "scan-metrics-$CI_COMMIT_REF_SLUG" fallback_keys: - "scan-metrics-$CI_DEFAULT_BRANCH" paths: - - "$SCAN_METRICS_FILE" + - "scan_metrics.csv" rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/' when: never From 70e258313531c24ed6edbac44f9adfc5caae9450 Mon Sep 17 00:00:00 2001 From: "hyan@gitlab.com" Date: Mon, 28 Apr 2025 13:30:50 +1000 Subject: [PATCH 5/8] Bump analyser versions for 18.0 --- templates/sast.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/sast.yml b/templates/sast.yml index 6dad115..028d190 100644 --- a/templates/sast.yml +++ b/templates/sast.yml @@ -5,7 +5,7 @@ spec: image_prefix: default: "$CI_TEMPLATE_REGISTRY_HOST/security-products" image_tag: - default: '5' + default: '6' image_suffix: default: "" excluded_analyzers: @@ -53,7 +53,7 @@ gitlab-advanced-sast: image: name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]" variables: - SAST_ANALYZER_IMAGE_TAG: 1 + SAST_ANALYZER_IMAGE_TAG: 2 SEARCH_MAX_DEPTH: 20 rules: - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/' From fc17b60e0ec5023a7a6e062fc422e2ee729bd5fa Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Mon, 26 May 2025 12:50:52 -0400 Subject: [PATCH 6/8] fixing checkboxes in table --- README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 994a4ef..34dd66a 100644 --- a/README.md +++ b/README.md @@ -39,16 +39,16 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit | Input | Default value | Description | SAST | IaC | | ----- | ------------- | ----------- | ---- | --- | -| `stage` | `test` | The stage where you want the job to be added | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | -| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | -| `image_tag` | `4` | Tag of the Docker image to use | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | -| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes, no FIPS support for IaC | -| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No | -| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | -| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes | -| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No | -| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No | -| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No | +| `stage` | `test` | The stage where you want the job to be added | :heavy_check_mark: Yes | :heavy_check_mark: Yes | +| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | :heavy_check_mark: Yes | :heavy_check_mark: Yes | +| `image_tag` | `4` | Tag of the Docker image to use | :heavy_check_mark: Yes | :heavy_check_mark: Yes | +| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | :heavy_check_mark: Yes | :heavy_check_mark: Yes, no FIPS support for IaC | +| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | :heavy_check_mark: Yes | :white_check_mark: No | +| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | :heavy_check_mark: Yes | :heavy_check_mark: Yes | +| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | :heavy_check_mark: Yes | :heavy_check_mark: Yes | +| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | :heavy_check_mark: Yes | :white_check_mark: No | +| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | :heavy_check_mark: Yes | :white_check_mark: No | +| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | :heavy_check_mark: Yes | :white_check_mark: No | ## Contribute From 77c1b8212839a67b14a20530f6946bdc642b8eea Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Mon, 26 May 2025 12:53:30 -0400 Subject: [PATCH 7/8] another table format --- README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 34dd66a..3a1feb7 100644 --- a/README.md +++ b/README.md @@ -39,16 +39,16 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit | Input | Default value | Description | SAST | IaC | | ----- | ------------- | ----------- | ---- | --- | -| `stage` | `test` | The stage where you want the job to be added | :heavy_check_mark: Yes | :heavy_check_mark: Yes | -| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | :heavy_check_mark: Yes | :heavy_check_mark: Yes | -| `image_tag` | `4` | Tag of the Docker image to use | :heavy_check_mark: Yes | :heavy_check_mark: Yes | -| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | :heavy_check_mark: Yes | :heavy_check_mark: Yes, no FIPS support for IaC | -| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | :heavy_check_mark: Yes | :white_check_mark: No | -| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | :heavy_check_mark: Yes | :heavy_check_mark: Yes | -| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | :heavy_check_mark: Yes | :heavy_check_mark: Yes | -| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | :heavy_check_mark: Yes | :white_check_mark: No | -| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | :heavy_check_mark: Yes | :white_check_mark: No | -| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | :heavy_check_mark: Yes | :white_check_mark: No | +| `stage` | `test` | The stage where you want the job to be added | :white_check_mark: Yes | :white_check_mark: Yes | +| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | :white_check_mark: Yes | :white_check_mark: Yes | +| `image_tag` | `4` | Tag of the Docker image to use | :white_check_mark: Yes | :white_check_mark: Yes | +| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | :white_check_mark: Yes | :white_check_mark: Yes, no FIPS support for IaC | +| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | :white_check_mark: Yes | :x: No | +| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | :white_check_mark: Yes | :white_check_mark:Yes | +| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | :white_check_mark: Yes | :white_check_mark: Yes | +| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | :white_check_mark: Yes | :x: No | +| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | :white_check_mark: Yes | :x: No | +| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | :white_check_mark: Yes | :x: No | ## Contribute From 81caeb7959d0ff238df68ea3f4c36cbab8b44f1f Mon Sep 17 00:00:00 2001 From: Rob Jackson Date: Mon, 26 May 2025 12:54:10 -0400 Subject: [PATCH 8/8] fix typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3a1feb7..f49a247 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` wit | `image_tag` | `4` | Tag of the Docker image to use | :white_check_mark: Yes | :white_check_mark: Yes | | `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | :white_check_mark: Yes | :white_check_mark: Yes, no FIPS support for IaC | | `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | :white_check_mark: Yes | :x: No | -| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | :white_check_mark: Yes | :white_check_mark:Yes | +| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | :white_check_mark: Yes | :white_check_mark: Yes | | `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | :white_check_mark: Yes | :white_check_mark: Yes | | `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job | :white_check_mark: Yes | :x: No | | `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | :white_check_mark: Yes | :x: No |