Add support for specifying project file in SAST dotnet security-code-scan
Problem to solve
Our security-code-scan analyzer for dotnet currently searches and uses the first project file it locates. This does not work for users with multiple csproj
or vbproj
files within a single gitlab project.
Target audience
-
Sasha, Software Developer, https://design.gitlab.com/research/personas#persona-sasha
-
Sam, Security Analyst, https://design.gitlab.com/research/personas#persona-sam
Further details
Relevant code: https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan/blob/11-4-stable/analyze.go#L68
Proposal
A) Add a flag/ENV to explicitly pass the project name to the analyzer.
B) Update analyzer to locate solution (*.sln
), supporting multi-project gitlab projects.
(A) should be a quick change but I'm unsure about the feasibility of (B) with our current tooling.
Documentation
What does success look like, and how can we measure that?
Allow dotnet security scans to run against specified project file instead of first-found.