Semgrep-based analyzer image omits files that are in the SAST-rules `dist` package
Some rules present in sast-rules
are not being added to the Semgrep-based analyzer, and are hence not being scanned.
This impacts customer results and performance against common benchmarks (like Assess and improve SAST performance against OWA... (&13906)).
By inspecting the code I realized that the cp
calls in the Dockerfile omitted:
- gitlab/gitlab_ee_java.yml
- lgpl-cc/gitlab_lgpl_cc_java.yml
- lgpl-cc/gitlab_lgpl_cc_javascript.yml
- lgpl-cc/gitlab_lgpl_cc_python.yml
The analyzer image has only these files from sast-rules
, not the ones above:
% docker run --rm -it registry.gitlab.com/security-products/semgrep:5 sh
/ # ls -1 /rules
bandit.yml
brakeman.yml
eslint.yml
find_sec_bugs.yml
find_sec_bugs_kotlin.yml
find_sec_bugs_scala.yml
flawfinder.yml
gosec.yml
mobsf.yml
nodejs_scan.yml
phpcs_security_audit.yml
security_code_scan.yml