Support authentication in semgrep.passthrough when type is git
Proposal
Support authentication in the [[semgrep.passthrough]] section when type = "git" so that multiple passthroughs in different Private projects can be assembled into a single passthrough chain
Why
The Customize rulesets docs describe using The [[$analyzer.passthrough]] section to synthesize a custom configuration for an analyzer. Up to twenty of these sections can be specified. This permits rules to be stored in multiple different locations rather than just the one. These configs are composed into a passthrough chain.
It is possible for the Passthrough type to be git. When using type = "git", it does not appear that it's possible to pass a token. This means that folks must either use one of the workarounds described below or be limited to rules that are only available without authentication. My understanding of this conversation is that we are aware of this limitation but didn't quite have enough customer interest to implement an approach.
Workarounds
Workarounds are not solutions: these approaches have drawbacks but are worth consideration.
Use a before_script
As I noted in #425730 (closed), it's possible to build a workaround that looks like this:
semgrep-sast:
before_script:
- rm -rf /rules/* && git clone https://itsatoken:${MYACCESSTOKEN}@gitlab.com/brie/catsmaketherules.git /rulesThis approach is known to work: it was tested by me (@bcarranza) and implemented by a customer. Read more.
Specify a private remote configuration
The Specify a private remote configuration docs recommend using something like this:
variables:
SAST_RULESET_GIT_REFERENCE: "group_2504721_bot_7c9311ffb83f2850e794d478ccee36f5:$PERSONAL_ACCESS_TOKEN@gitlab.com/example-group/example-ruleset-project@c8ea7e3ff126987fb4819cc35f2310755511c2ab"