Skip to content

Allow SAST custom rules to be appended to rather than overwrite the default ones

Custom rulesets can be configured using the mechanism described here: https://docs.gitlab.com/ee/user/application_security/sast/customize_rulesets.html

However, those will replace, not augment, our own default ruleset.

One possible way to achieve augmentation today is as follows:

[semgrep]
  description = 'semgrep custom rules configuration'
  validate = true

[[semgrep.passthrough]]
    type  = "url"
    value = "https://semgrep.dev/c/p/owasp-top-ten"
    target = "owasp-top-ten.yml"

[[semgrep.passthrough]]
    type  = "file"
    value = "/rules/bandit.yml"
    target = "bandit.yml"

[[semgrep.passthrough]]
    type  = "file"
    value = "/rules/eslint.yml"
    target = "eslint.yml"

[[semgrep.passthrough]]
    type  = "file"
    value = "/rules/find_sec_bugs.yml"
    target = "find_sec_bugs.yml"

[[semgrep.passthrough]]
    type  = "file"
    value = "/rules/find_sec_bugs_scala.yml"
    target = "find_sec_bugs_scala.yml"

[[semgrep.passthrough]]
    type  = "file"
    value = "/rules/flawfinder.yml"
    target = "flawfinder.yml"

[[semgrep.passthrough]]
    type  = "file"
    value = "/rules/gosec.yml"
    target = "gosec.yml"

[[semgrep.passthrough]]
    type  = "file"
    value = "/rules/security_code_scan.yml"
    target = "security_code_scan.yml"

Possible backwards compatible solutions

  1. Adding support for a new glob passthrough.
  2. Adding support a mode where we do not overwrite the target directory. 
    [semgrep]
  description = 'semgrep custom rules configuration'
  validate = true
  targetdir = "/rules"
  overwrite = false

Solution 2 seems to make more sense as the GitLab semgrep analyzer ruleset always resides at the same location and the solution is easy to implement.

Implementation plan

  1. Implement a new passthrough type (dir) that makes it possible to copy rules from the default rule location of an analyzer to the ruleset targetdir (Adding keepdefaultrules option by means of a di... (gitlab-org/security-products/analyzers/ruleset!59 - merged) • Julian Thome • 18.5)
  2. Implement a shortcut/flag that adds a directory passthrough automatically (keepdefaultrules=true) (Adding keepdefaultrules option by means of a di... (gitlab-org/security-products/analyzers/ruleset!59 - merged) • Julian Thome • 18.5)
  3. Integrate changes into the semgrep analyzer (Ruleset customization with default configuratio... (gitlab-org/security-products/analyzers/semgrep!630 - merged) • Julian Thome • 18.5)

Below is an exampe configuration that illustrated the new flag; with keepdefaultrules = true, the default analyzer configuration remains active.

[semgrep]
  keepdefaultrules = true

  [[semgrep.passthrough]]
    type = "file"
    value = "semgrep_rules/python.yml"

cc @pap-gitlab @sarahwaldner @amarpatel

Edited by Julian Thome