Allow use of .semgrepignore file in Semgrep-based SAST analyzer
Proposal
The Semgrep-based SAST analyzer doesn't respect a user-committed .semgrepignore
file today.
In gitlab-org/security-products/analyzers/semgrep!121 (closed) @hmrc.colinameigh proposes respecting each repository's .semgrepignore
file.
(Filing issue for tracking + documentation reasons.)
Tradeoffs
- This would introduce a new path to suppress scanning on particular files, in addition to
SAST_EXCLUDED_PATHS
. The .semgrepignore file is maintained in the repository, not in a CI/CD configuration, so it could be edited even by those unable to edit CI/CD variables (such as through a compliance pipeline). This is similar to existing handling of.gitignore
, though a.gitignore
entry would be much more of an impediment to further development on ignored files than a.semgrepignore
entry. - This would be a Semgrep-specific feature, unlike
SAST_EXCLUDED_PATHS
which applies to all analyzers.
Documentation
This behavior would need to be documented, perhaps in the forthcoming Semgrep analyzer documentation (#346839 (closed)).
Workaround
From #365406 (comment 1035439519)
semgrep-sast:
before_script:
- |
if [ -f .semgrepignore ]; then
cat .semgrepignore >> /semgrepignore
fi
Edited by Lucas Charles