Custom Rulesets for Security Scanning at Group and Instance level
Problem to solve
During development of &4179 we need to ensure the specification works for Enterprise-scale companies. This places emphasis on reusability, maintainability, and manageability of rulesets at a scaleable level.
Intended users
User experience goal
Easy configuration and implementation of custom rulesets across hundreds of related projects (i.e. shared rulesets within a GitLab Group, instance-wide custom rulesets)
Proposal
Add some way define custom SAST rulesets at the group or instance level.
MVC may be SAST_CUSTOM_RULESETS_URL=https://gitlab.example.com/some-repo/custom-rulesets.toml
See also original discussion of includes
within original technical discovery issue
Workaround
include:
- template: SAST.gitlab-ci.yml
spotbugs-sast:
before_script:
- wget https://gitlab.example.com/templates/raw/master/base-sast-rules.yml -O .gitlab/sast-ruleset.toml
Further details
Permissions and Security
TBD
Documentation
We'll want to update: https://docs.gitlab.com/ee/user/application_security/sast/index.html#customize-rulesets
We should also explain how to use this in a compliance pipeline (see #346839 (comment 991436447)).
What does success look like, and how can we measure that?
Easy configuration and expression of rulesets across hundreds of related projects (i.e. shared rulesets within a GitLab Group)
What is the type of buyer?
Links / references
-
inspiration: CI configuration docs for
include
keyword: https://docs.gitlab.com/ee/ci/yaml/#include