Enable Support for Rust in Semgrep Analyzer
Context
The issue aims to enable the Rust language support in the GitLab Semgrep SAST analyzer since the language maturity for Rust has reached GA. Traditionally, we enable support for a language in the Semgrep analyzer only after we curate GitLab-managed rules for that language. However, this could block some GitLab Ultimate customers (who have their own ruleset to add via custom-ruleset) from using a language not enabled by the GitLab Semgrep Analyzer despite the Semgrep OSS scanner supporting it.
The PM of groupstatic analysis approved the idea of enabling Rust support in the GitLab Semgrep analyzer without having GitLab-managed rules in place. I've added a high-level implementation plan for anyone who picks this issue.
Implementation Plan
-
Enable Rust Extension in the Semgrep analyzer source and add integration test. There is a Community contribution MR created by @KevSlashNull
, we can either bring it to the finish line or create a new MR, along with a credit given to the contributor in the changelog) -
Enable Rust language extension( .rs
) in the Stable and Latest SAST CI templates.
Note
On adding the support for Rust without GitLab-managed rules in the Semgrep analyzer, the analyzer is triggered for the Rust-based projects regardless of whether the customer has provided a Rust ruleset via custom-ruleset. In case of a missing ruleset, only the Semgrep SAST CI job is triggered but not the scan, which could waste some extra CI minutes of the customer.