Add Additional Options When Running PHPCS Security Audit
Problem to solve
The problem to solve here is twofold;
- Projects may have php files with extensions which are not found within the default
plugin.PhpExtensions
slice. There is currently no way to expand that list without rebuilding the docker image, which may be not feasible, or worthwhile for many teams / individuals. - Projects may have folders or files within their source code not intended for production or deployed environments (i.e. testing code) which they do not need scanned. There is currently no way to exclude files and folders from the PHPCS scan.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Simone (Software Engineer in Test)
User experience goal
The user should be able to define extra file extensions easily from within .gitlab-ci.yml
, without needing to modify external code.
The user should be able to exclude directories from PHPCS scans from within .gitlab-ci.yml
to cut down on clutter within the security dashboard and improve scanning efficiency
Proposal
Two flags should be added into the phpcs-security-audit to facilitate the addition of file extensions to be scanned, as well the addition of excluded directories.
New Flags
- extensions: Comma seperated list of additional PHP file extensions to pass into the processor
- ignore: Comma seperated list of ignore patterns in RegEx format (See: PHP_CodeSniffer: Ignoring File and Folders)
Further details
I have a use case with my team of developers. We have a PHP structure which uses *.phpi
as a file extension, the SAST scanner would not scan these files for us, leading to a potential lapse in security. It would take far too long for us to convert the framework to use a "supported" file extension and this feature would make this a total non-issue.
I also have a use case for ignoring directories or files during the PHPCS scans. my save team have a DEV folder within our project which houses a lot of testing tools, quick data lookup tools, rapid prototyping, etc for use whilst developing or testing initial builds. This folder is removed when moving to staging or production and does not require a scan. Without being able to exclude this folder, there are a lot of unnecessary detections displayed in the security scan results making it more difficult to sort through and view the actually important findings. Being able to simply ignore that DEV folder would completely solve our problem.
Permissions and Security
Anyone with project modify level access would be able to modify the .gitlab-ci.yml
and add in use of the added flags.
Documentation
The list of Environment variables in SAST: Analyzer Settings would have to be updated.
Availability & Testing
This should results in no change to availability, simply a newer docker image for the PHPCS Docker image.
Testing includes:
- Set a directory to be ignored, validate that the directory was not scanned
- Set a new file extension to be scanned, validate that file was scanned
What does success look like, and how can we measure that?
This could allow for a wider adoption of the Gitlab security scanning tools for existing projects.
Measuring the success for a change like this would be difficult, to say the least. The benifit would likely apply to a small subset of users.
What is the type of buyer?
The type of buyer would be one who wants more customizability in the PHPCS scanner allowing easier integration into a greater number of existing projects.
Is this a cross-stage feature?
No, it is not a cross-stage feature