sast/README.md

# SAST (Static Application Security Testing)

This project provides componnets for the use of Static Application Security Testing as well as Infrastructure as Code testing. Configuration for either component may be performed through CI/CD Variables (https://docs.gitlab.com/ee/ci/variables/index.html) or via the definition of Inputs (https://docs.gitlab.com/ci/inputs/). 

More information about GitLab SAST is available within GitLab documentation (https://docs.gitlab.com/ee/user/application_security/sast/), along with the available variables (https://docs.gitlab.com/ee/user/application_security/sast/index.html#available-cicd-variables).

More information about GitLab Infrastructure as Code scanning is available within GitLab documentation (https://docs.gitlab.com/user/application_security/iac_scanning/). 


## Usage

You should add this component to an existing `.gitlab-ci.yml` file by using the `include:`
keyword.

```yaml
include:
  - component: gitlab.com/components/sast/sast@<VERSION> # To include SAST Scanning
  - component: gitlab.com/components/sast/iac-sast@<VERSION> # To include IaC Scanning
```

where `<VERSION>` is the latest released tag or `main`.

If you are converting the configuration to use components and want to leverage the existing variable `$SAST_DISABLED` you could conditionally include the component using the variable:

```yaml
include:
  - component: gitlab.com/components/sast/sast@main
    rules:
      - if: $SAST_DISABLED == "true" || $SAST_DISABLED == "1"
        when: never
      - when: always
```

Otherwise all SAST jobs will always run when applicable.

This assumes `SAST_DISABLED` variable is already defined in `.gitlab-ci.yml` with either `'true'` or `'1'` as the value.

### Inputs

| Input | Default value | Description | SAST | IaC |
| ----- | ------------- | ----------- | ---- | --- | 
| `stage` | `test`      | The stage where you want the job to be added | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
| `image_prefix` | `$CI_TEMPLATE_REGISTRY_HOST/security-products` | Define where all Docker image are pulled from | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
| `image_tag` | `4` | Tag of the Docker image to use | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
| `image_suffix` | `""` | Suffix added to image. If set to `-fips`, [`FIPS-enabled` images](https://docs.gitlab.com/ee/user/application_security/sast/#fips-enabled-images) are used for scan. Only used by `semgrep` analyzer | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes, no FIPS support for IaC |
| `excluded_analyzers` | `""` | Comma separated list of analyzers that should not run | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No |
| `excluded_paths` | `"spec, test, tests, tmp"` | Comma separated list of paths to exclude | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
| `search_max_depth` | `4` | Defines how many directory levels the search for programming languages should span | {{< icon name="check-circle" >}} Yes | {{< icon name="check-circle" >}} Yes |
| `run_kubesec_sast` | `"false"` | Set it to `"true"` to run `kubesec-sast` job  | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No |
| `run_advanced_sast` | `false` | Set it to `true` to enable [GitLab Advanced SAST](https://docs.gitlab.com/ee/user/application_security/sast/gitlab_advanced_sast.html) | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No |
| `include_experimental` | `"false"` | Set it to `"true"` to enable [experimental analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features) | {{< icon name="check-circle" >}} Yes | {{< icon name="dotted-circle" >}} No |

## Contribute

Please read about CI/CD components and best practices at: https://docs.gitlab.com/ee/ci/components