Re-enable SAST scanning
What does this MR do?
Enables SAST scanning on the gitlab-org/gitlab-runner
project.
Why was this MR needed?
Static Application Security Testing does not run for the gitlab-org/gitlab-runner
project because SAST_DISABLED: "true"
is set as a global CI variable: https://gitlab.com/gitlab-org/gitlab-runner/-/blob/main/.gitlab/ci/_common.gitlab-ci.yml?ref_type=heads#L27
As a result of SAST scans not running we are no longer detecting and flagging potential new vulnerabilities in MRs, pipeline security tabs, or the vulnerability dashboard. This also blocks our ability to configure merge request approval policies that would benefit from additional security review for any newly detected and newly introduced potential vulnerabilities.
As AppSec is expected to review, validate, and triage vulnerabilities, the lack of insight into SAST vulnerabilities is impacting our ability to perform this job dutiy.
What's the best way to test this MR?
- Verify that
-sast
jobs, specifically thesemgrep-sast
job, are not currently being triggered in any recent CI pipelines. - Trigger a pipeline with the
SAST_DISABLED: "true"
line removed, then verify that SAST jobs are running and detected vulnerabilities are being flagged, as expected.