Introduce a generic SAST CI var to forward flags to the upstream scanner
Why are we doing this work
SAST analyzers internally use OSS security scanners to perform the analysis. By GitLab principle of Convention over Configuration, we set the recommended configuration for the security scanner so that customers need not to worry about tuning them. However, lately there have been some issues raised (like this) that affect the intended usage of the scanner. More discussion around this topic is carried out over here.
What is the proposed solution
Introduce a generic SAST CI variable called SAST_SCANNER_ALLOWED_CLI_OPTS applicable to all SAST analyzers. The variable accepts hand-picked args and flags that are forwarded to the underlying security scanner's CLI flags while running the analysis operation. This CI variable should not be misinterpreted as a "backdoor" to customize/extend the security scanner's functionality. Only those flags will be acceptable, which enables the security scanner to work as intended under rare circumstances. We maintain the allowed list of CLI flags in the corresponding analyzer's code, where the validation is carried out as well.
We must be highly rigid and careful in accepting a new flag under the allowed list as it may break the workflow and add a burden to the maintenance cycle. To introduce a new acceptable flag(s) for an analyzer, a dedicated issue should be created and approved before adding it to the allowed list.
Implementation Plan
-
Add SAST_SCANNER_CLI_OPTS CI var information in... (#369387) | MR: !94764 (merged) -
Accept SAST_SCANNER_ALLOWED_CLI_OPTSenv flag in the supported analyzers | MR: gitlab-org/security-products/analyzers/semgrep!139 (merged)
Each Dedicated issue should adhere to the following checklist
- Add the justification for the new flag introduction
- Accept the flag under the allowed list in the analyzer code
- Add the accepted flag under the corresponding analyzer in the SAST documentation