SAST Custom Rules - Passthrough Scanner Configuration
Problem to solve
To complete Custom Rulesets for SAST Analyzers we should provide the ability to passthrough a configuration block to the underlying scanners.
User experience goal
analyzers/commonto detect and parse
- If configuration file is present, analyzer provides a compatible customization hook (similar to our
[[ANALYZER.passthrough]]is present, provide analyzer-specific configuration
fileto underlying tool (gosec-only initially)
- Check for
GITLAB_PLANas defined in licensing issue using
[gosec] description = 'gosec custom rules configuration' [[passthrough]] type = file source/target/destination = gosec-config.json value = gosec-config.json
The initial usecase is to reach feature parity with the previously introduced
SAST_GOSEC_CONFIG functionality of the
gosec analyzer. By instead providing a method of supplying the configuration through our SAST rules configuration file instead of directly via an ENV.
This reframes our customization functionality around a single customization entrypoint and provides the basic framework within
common and our analyzers to build on top of.
Permissions and Security
No change to permissions
- Update Static Application Security Testing docs with new section on configuration file
- [optionally] Consider deprecating
Availability & Testing
- Add unit tests to
analyzers/commoncovering new customization architecture
- Add downstream test to
analyzers/gosecwhere configuration file is specified to modify default behavior (similar to
What does success look like, and how can we measure that?
Customers have clear location for modifying analyzer behaviors
What is the type of buyer?
Is this a cross-stage feature?