Custom Rulesets for Security Scanning at Group and Instance level

Problem to solve

During development of &4179 we need to ensure the specification works for Enterprise-scale companies. This places emphasis on reusability, maintainability, and manageability of rulesets at a scaleable level.

Intended users

• Cameron (Compliance Manager)
• Alex (Security Operations Engineer)

User experience goal

Easy configuration and implementation of custom rulesets across hundreds of related projects (i.e. shared rulesets within a GitLab Group, instance-wide custom rulesets)

Proposal

Add some way define custom SAST rulesets at the group or instance level.

MVC may be SAST_CUSTOM_RULESETS_URL=https://gitlab.example.com/some-repo/custom-rulesets.toml

See also original discussion of includes within original technical discovery issue

Workaround

include:
  - template: SAST.gitlab-ci.yml

spotbugs-sast:
  before_script:
    - wget https://gitlab.example.com/templates/raw/master/base-sast-rules.yml -O .gitlab/sast-ruleset.toml

Further details

Permissions and Security

TBD

Documentation

We'll want to update: https://docs.gitlab.com/ee/user/application_security/sast/index.html#customize-rulesets

We should also explain how to use this in a compliance pipeline (see #346839 (comment 991436447)).

What does success look like, and how can we measure that?

Easy configuration and expression of rulesets across hundreds of related projects (i.e. shared rulesets within a GitLab Group)

What is the type of buyer?

GitLab Ultimate

Links / references

• inspiration: CI configuration docs for include keyword: https://docs.gitlab.com/ee/ci/yaml/#include