GitLab Semgrep-based analyzer documentation is lacking

Problem to solve

This relates to Semgrep as implemented in the SAST CI/CD template. The issue is that there is no documented way to set semgrep configuration paths, rules, or other parameters.

Some documentation is here: https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html and the main repository is here: https://gitlab.com/gitlab-org/security-products/analyzers/semgrep

Neither of these places give much detail

Further details

Other semgrep documentation mentions the following variable:

SEMGREP_RULES: >- # more at semgrep.dev/explore
  p/security-audit
  p/secrets

but whether or not that works is never confirmed on Gitlab's documentation, and there is no listed way to e.g. add your own rule.

Proposal

Document the following, either on the main analyzer page, or in the semgrep analyzer git's README:

How to include or exclude directories/files
How to run semgrep with custom rules
How to run with the junit-xml flag so artifacts can be used

An example script to run would be the following: semgrep --config=p/security-audit --config=myrules.yml . -l python --junit-xml -o semgrep-ci.xml

Edited Nov 29, 2022 by James Liu