Add support to SAST for the --disable-nosem option

Problem to solve

Currently there is no way to do a SAST scan that uses the existing option to disable # nosemgrep comments in the code. Developers use this option to have semgrep skip the line of code associated with the tag. Customers would like to be able to run our SAST with this option disabled and currently you cannot.

Proposal

Enable ability to pass this option through so that the following CI code would pass the --disable-nosem option through correctly:

stages:
  - test

include:
  - template: Jobs/SAST.gitlab-ci.yml

variables:
  SAST_SCANNER_ALLOWED_CLI_OPTS: "--max-memory 0 --disable-nosem"
  SAST_EXCLUDED_ANALYZERS: "brakeman,flawfinder,kubesec,mobsf,nodejs-scan,phpcs-security-audit,pmd-apex,sobelow,spotbugs"
  SECURE_LOG_LEVEL: "debug"

Intended users

Administrators and security personnel who want to either prevent developers from bypassing the scan for some lines of code or run the scan with this option to see how much code is being skipped during a scsan.

Feature Usage Metrics

Use any metrics on CI/CD config vars; do not add more for this

Does this feature require an audit event?

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited Jan 24, 2024 by Connor Gilbert