SAST & Secret-Detection Custom Rules - Modifying Pre-existing Rules - Overriding Properties

Problem to solve

To complete Custom Rulesets for SAST Analyzers we should provide the ability to modify specific rules for our individual Category:SAST and Category:Secret Detection analyzers, allowing overrides of properties.

Intended users

• Sasha (Software Developer)
• Rachel (Release Manager)
• Alex (Security Operations Engineer)

User experience goal

Better data quality for users in better aligning rule properties with organization expectations.

Proposal

• Update SAST rules configuration file specification to allow individual rules values to be overridden; i.e. severity = High. These rules must match the primary identifier as defined by a given analyzer (Perhaps Value?)
  • Allowlist of override-able attributes: name, message, description, severity, confidence
• Validate supported override values
• Update analyzers/command/run.go to override any returned findings with values specified in configuration file

Update analyzers to enable modifying preexisting rules

• brakeman
• phpcs-security-audit
• security-code-scan
• bandit
• eslint
• mobSF
• flawfinder
• gosec
• sobelow
• semgrep
• kubesec
• kics
• nodejs-scan
• secrets
• pmd-apex
• spotbugs

Example

[spotbugs]
  [[spotbugs.ruleset]]
    # Properties I'm overriding below
    severity = "Low"
    description = "Predictable random number generator detected, but I don't really care because this is a PoC to demonstrate crackable password hashes"
    # Filter on identifier
    [spotbugs.ruleset.identifier]
    type = "find_sec_bugs_type" # not needed but for readability
    value = "PREDICTABLE_RANDOM"

Further details

Permissions and Security

No change to permissions

Documentation

• Document functionality within Static Application Security Testing docs
• Document functionality within Secret Detection Testing docs

Availability & Testing

• Add test ensuring overridden rule generates findings matching the override value

What does success look like, and how can we measure that?

Rules can be disabled if considered insignificant to users

What is the type of buyer?

GitLab Ultimate

Is this a cross-stage feature?

Links / references

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.