Clarify when and how SAST_EXCLUDED_PATHS and SECRET_DETECTION_EXCLUDED_PATHS are applied
Problem to solve
Behavior of the SAST_EXCLUDED_PATHS
variable differs between analyzers.
- In most cases it causes vulnerabilities to be filtered out after the entire repo is scanned.
- For the Semgrep-based analyzer (at least) it is passed through to semgrep so that other files are not even scanned.
The documentation doesn't make this clear and this has surprised many team members (including me!).
Similarly, SECRET_DETECTION_EXCLUDED_PATHS
doesn't make it obvious when a user should expect the filtering to occur—before scanning? after scanning? before the artifact is produced? See Zendesk 305969 (team members only).
Further details
- Current documentation: https://docs.gitlab.com/ee/user/application_security/sast/#vulnerability-filters, https://docs.gitlab.com/ee/user/application_security/secret_detection/#available-cicd-variables
- MR where this behavior changed: gitlab-org/security-products/analyzers/semgrep!47 (merged)
- One reason why this is the preferred approach: #332187 (closed)
Proposal
Reword the Description
for SAST_EXCLUDED_PATHS
to clarify:
- When the filtering occurs
- Any differences between analyzers
While editing, it would be useful to clarify the allowed formats. Some clarifications may have been made as part of Support double star globs in SAST and Secret De... (#224440 - closed).
Similarly, document when the filtering occurs for SECRET_DETECTION_EXCLUDED_PATHS
.
Alternative: Include Semgrep-specific behavior in a section or page that specifically focuses on how to tune the Semgrep analyzer.
Who can address the issue
Anyone should be able to reword the description, with the Static Analysis team reviewing changes.
Clarifying supported glob syntax would require more technical input up-front and could be split off.