GitLab Semgrep-based analyzer documentation is lacking
Problem to solve
This relates to Semgrep as implemented in the SAST CI/CD template. The issue is that there is no documented way to set semgrep configuration paths, rules, or other parameters.
Some documentation is here: https://docs.gitlab.com/ee/user/application_security/sast/analyzers.html and the main repository is here: https://gitlab.com/gitlab-org/security-products/analyzers/semgrep
Neither of these places give much detail
Further details
Other semgrep documentation mentions the following variable:
SEMGREP_RULES: >- # more at semgrep.dev/explore
p/security-audit
p/secrets
but whether or not that works is never confirmed on Gitlab's documentation, and there is no listed way to e.g. add your own rule.
Proposal
Document the following, either on the main analyzer page, or in the semgrep analyzer git's README:
- How to include or exclude directories/files
- How to run semgrep with custom rules
- How to run with the junit-xml flag so artifacts can be used
An example script to run would be the following:
semgrep --config=p/security-audit --config=myrules.yml . -l python --junit-xml -o semgrep-ci.xml