Disallow project-level SAST/SD/IaC overrides when a configuration is specified at the group level in a Scan Execution Policy
Background
In #393452 (comment 1364762017) we discussed how to handle conflicts between shared configurations (which are referenced by using an environment variable) and project-level configurations (which are committed into the specific project.
We decided to be permissive at first because of the variety of places one can specify a shared config (not just Scan Execution Policies). For example, you can set it as a group-level CI/CD variable too, which is less obviously a policy-related goal. But, if you're writing a Scan Execution Policy, it's likely you'd want to have some control over at least the minimum amount of coverage you want to see, and you're less likely to want individual project developers to be able to change which rules are disabled.
Proposal
Can we make it so that SEP-based SAST, Secret Detection, and IaC Scanning jobs disallow project-level overrides?
Options
- Disable project-level configuration when running via a Scan Execution Policy. (#393452 (comment 1386009482))
- There’s a common module that all SAST analyzers use; it knows how to fetch a remote ruleset if one is provided. I believe this package is where the precedence logic is defined.
- When the SEP creates the job, we could inject another CI/CD variable into the job, or otherwise use job context to know that we’re in an SEP-based job. With that signal, we could tell the analyzer that it should not consult any project-based config file.
- We should document that this is the behavior, and should log when it occurs, to reduce confusion.
- Use other features to disable this editing.
-
@theoretick: "I would imagine there are more native control mechanisms we could leverage too like pre-empting a
CODEOWNERS
config to prevent the addition of asast-ruleset.toml
file or something." (#393452 (comment 1387289371))
-
@theoretick: "I would imagine there are more native control mechanisms we could leverage too like pre-empting a
- Other options?