Provide means of bypassing plugin detection in SAST Semgrep analyzer & SAST CI template
Proposal
We currently support custom rulesets for our semgrep
analyzer, but the language support is still limited in that our analyzer requires a matching filetype to run. GitLab's SAST template also requires a matching filetype for the semgrep-sast
job to run.. We should look at a way of removing this limitation in order to provide better out-of-the-box support for non-default languages.
Background
A similar issue was recently raised as a workaround for spotbugs to support raw compilations with javac
which were failing to detect due to a missing project type. This isn't a standard behavior we would support but should be technically possible with some additional configuration. It would be nice to enable this globally (or for at least spotbugs as well) but I'm not sure if that makes much sense to tie to custom rulesets of it there is another means of configuration we should consider here (i.e. COMPILE=false
).
Workaround
- Ensure a filetype matching our Semgrep analyzer supported extensions in plugin.go and in our SAST.gitlab-ci.yml template is present within the repository
Implemented Solution
Based on this discussion, following changes are implemented.
-
Changes made in the Semgrep Analyzer code: If the customer's project contains
Semgrep
rules inside Custom Ruleset file then the Semgrep analyzer bypasses the language file extension-based checks. This enables users to run Semgrep rules even for the languages not yet officially supported by the GitLab Semgrep analyzer. -
Changes that customer needs to do in the SAST CI template: The customer needs to explicitly override
semgrep-sast
CI job in the SAST CI template to enable the lanugage of choice ex:Inside
<project>/.gitlab-ci.yml
:semgrep-sast: rules: - if: $CI_COMMIT_BRANCH exists: - '**/*.<language extension you want to add support to, ex: .py>'