sast/templates/sast.yml

spec:
  inputs:
    stage:
      default: test
    image_prefix:
      default: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
    image_tag:
      default: '6'
    image_suffix:
      default: ""
    excluded_analyzers:
      default: ""
    excluded_paths:
      default: "spec, test, tests, tmp"
    search_max_depth:
      default: '4'
    run_kubesec_sast:
      default: 'false'
    run_advanced_sast:
      default: false
      type: boolean
    include_experimental:
      default: 'false'
    ff_glas_enable_php_support:
      default: true
      type: boolean
    use_precompiled_artifacts:
      default: false
      type: boolean
    sast_dependencies:
      default: []
      type: array
---
.sast-analyzer:
  stage: $[[ inputs.stage ]]
  allow_failure: true
  # these variables are used by the analyzer
  # TODO: propagate inputs when breaking down into separate components
  # E.g. SEARCH_MAX_DEPTH is overridden in some analyzers. We should pass the input instead.
  variables:
    SEARCH_MAX_DEPTH: $[[ inputs.search_max_depth ]]
    DEFAULT_SAST_EXCLUDED_PATHS: $[[ inputs.excluded_paths ]]
    SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS"
    COMPILE: $[[ inputs.use_precompiled_artifacts ]]
  dependencies: $[[ inputs.sast_dependencies ]]
  script:
    - /analyzer run
  artifacts:
    access: 'developer'
    reports:
      sast: gl-sast-report.json

.deprecated-16.8:
  extends: .sast-analyzer
  script:
    - echo "This job was deprecated in GitLab 16.8 and removed in GitLab 17.0"
    - echo "For more information see https://gitlab.com/gitlab-org/gitlab/-/issues/425085"
    - exit 1
  rules:
    - when: never

.gitlab-advanced-sast-exist-rules:
  exists:
    - '**/*.py'
    - '**/*.go'
    - '**/*.java'
    - '**/*.jsp'
    - '**/*.js'
    - '**/*.jsx'
    - '**/*.ts'
    - '**/*.tsx'
    - '**/*.cjs'
    - '**/*.mjs'
    - '**/*.cs'
    - '**/*.rb'
    - '**/*.php'

.semgrep-with-advanced-sast-exist-rules:
  exists:
    - '**/*.c'
    - '**/*.cc'
    - '**/*.cpp'
    - '**/*.c++'
    - '**/*.cp'
    - '**/*.cxx'
    - '**/*.h'
    - '**/*.hpp'
    - '**/*.scala'
    - '**/*.sc'
    - '**/*.php'
    - '**/*.swift'
    - '**/*.m'
    - '**/*.kt'
    - '**/*.properties'
    - '**/application*.yml'
    - '**/bootstrap*.yml'
    - '**/application*.yaml'
    - '**/bootstrap*.yaml'

.semgrep-exist-rules:
  exists:
    - '**/*.py'
    - '**/*.js'
    - '**/*.jsx'
    - '**/*.ts'
    - '**/*.tsx'
    - '**/*.c'
    - '**/*.cc'
    - '**/*.cpp'
    - '**/*.c++'
    - '**/*.cp'
    - '**/*.cxx'
    - '**/*.h'
    - '**/*.hpp'
    - '**/*.go'
    - '**/*.java'
    - '**/*.cs'
    - '**/*.scala'
    - '**/*.sc'
    - '**/*.php'
    - '**/*.swift'
    - '**/*.m'
    - '**/*.rb'
    - '**/*.kt'
    - '**/*.cjs'
    - '**/*.mjs'
    - '**/*.properties'
    - '**/application*.yml'
    - '**/bootstrap*.yml'
    - '**/application*.yaml'
    - '**/bootstrap*.yaml'

gitlab-advanced-sast:
  extends: .sast-analyzer
  image:
    name: "$[[ inputs.image_prefix ]]/gitlab-advanced-sast:${SAST_ANALYZER_IMAGE_TAG}$[[ inputs.image_suffix ]]"
  variables:
    FF_GLAS_ENABLE_PHP_SUPPORT: "$[[ inputs.ff_glas_enable_php_support ]]"
    SAST_ANALYZER_IMAGE_TAG: 2
    SEARCH_MAX_DEPTH: 20
  cache:
    key: "scan-metrics-$CI_COMMIT_REF_SLUG"
    fallback_keys:
      - "scan-metrics-$CI_DEFAULT_BRANCH"
    paths:
      - "scan_metrics.csv"
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /gitlab-advanced-sast/'
      when: never
    - if: '"$[[ inputs.run_advanced_sast ]]" != "true"'
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/
      exists: !reference [.gitlab-advanced-sast-exist-rules, exists]
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/
      exists: !reference [.gitlab-advanced-sast-exist-rules, exists]

brakeman-sast:
  extends: .deprecated-16.8

flawfinder-sast:
  extends: .deprecated-16.8

kubesec-sast:
  extends: .sast-analyzer
  image:
    name: "$[[ inputs.image_prefix ]]/kubesec:$[[ inputs.image_tag ]]"
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /kubesec/'
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && "$[[ inputs.run_kubesec_sast ]]" == "true"'
    - if: '$CI_COMMIT_BRANCH && "$[[ inputs.run_kubesec_sast ]]" == "true"'

mobsf-android-sast:
  extends: .deprecated-16.8

mobsf-ios-sast:
  extends: .deprecated-16.8

nodejs-scan-sast:
  extends: .deprecated-16.8

phpcs-security-audit-sast:
  extends: .deprecated-16.8

pmd-apex-sast:
  extends: .sast-analyzer
  image:
    name: "$[[ inputs.image_prefix ]]/pmd-apex:$[[ inputs.image_tag ]]"
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /pmd-apex/'
      when: never
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/*.cls'

security-code-scan-sast:
  extends: .sast-analyzer
  script:
    - echo "This job was deprecated in GitLab 15.9 and removed in GitLab 16.0"
    - echo "For more information see https://gitlab.com/gitlab-org/gitlab/-/issues/390416"
    - exit 1
  rules:
    - when: never

semgrep-sast:
  extends: .sast-analyzer
  image:
    name: "$[[ inputs.image_prefix ]]/semgrep:$[[ inputs.image_tag ]]$[[ inputs.image_suffix ]]"
  variables:
    SEARCH_MAX_DEPTH: 20
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /semgrep/'
      when: never
    # When gitlab-advanced-sast runs with PHP support enabled, exclude the `*.php` extension, as well as other files already scanned by gitlab-advanced-sast
    - if: '$CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
          "$[[ inputs.run_advanced_sast ]]" == "true" &&
          "$[[ inputs.ff_glas_enable_php_support ]]" == "true"'
      variables:
        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb, **/*.php"
      exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
    # When gitlab-advanced-sast runs but PHP support is disabled, exclude files already scanned by gitlab-advanced-sast
    - if: '$CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
          "$[[ inputs.run_advanced_sast ]]" == "true" &&
          "$[[ inputs.ff_glas_enable_php_support ]]" != "true"'
      variables:
        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb"
      exists: !reference [.semgrep-with-advanced-sast-exist-rules, exists]
    # Fallback when advanced SAST covers everything
    - if: '$CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
          "$[[ inputs.excluded_analyzers ]]" !~ /gitlab-advanced-sast/ &&
          "$[[ inputs.run_advanced_sast ]]" == "true"'
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      exists: !reference [.semgrep-exist-rules, exists]
      # Default case - run for all supported files
    - if: $CI_COMMIT_BRANCH
      exists: !reference [.semgrep-exist-rules, exists]

sobelow-sast:
  extends: .sast-analyzer
  image:
    name: "$[[ inputs.image_prefix ]]/sobelow:$[[ inputs.image_tag ]]"
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /sobelow/'
      when: never
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/mix.exs'

spotbugs-sast:
  extends: .sast-analyzer
  image:
    name: "$[[ inputs.image_prefix ]]/spotbugs:$[[ inputs.image_tag ]]"
  rules:
    - if: '"$[[ inputs.excluded_analyzers ]]" =~ /spotbugs/'
      when: never
    - if: '"$[[ inputs.include_experimental ]]" == "true"'
      exists:
        - '**/AndroidManifest.xml'
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/*.groovy'