Technical Discovery: Custom analyzer rulesets for SAST & Secret Detection analyzers

Problem to solve

As a security analyst or maintainer, I want the ability to extend the rules for each analyzer on a project-by-project bases, so that I can reduce false positives or provide coverage beyond the rules shipped by default by GitLab.

Today, we rely on open source software to be both the detection engine as well as the detection rules. However, we have a growing need to allow us (or customers) to extend those rules. This would allow us a mechanism to try out rules that reduce false positive rates, provide coverage we do not currently offer, or both.

Proposal

Further details

We need to learn the following:

• How to amend rules embedded in analyzers at run time
• In what format should rules be expressed?
• What is the boring solution for providing this capability to individual projects?
• How closely aligned should Custom Rules for SAST be aligned with Custom Rules for Secret Detection? - #229579 (comment 382582253)

What does success look like, and how can we measure that?

Links / references

• Most recent proposed file format: sast-rules.v2.toml