Discussion: Elimination of custom-rulesets

Problem to solve

GitLab SAST used to be heterogeneous: different SAST tools were executed to find different types of security issues for different languages. One of the main intents of Custom Rulesets was to provide an analyzer-agnostic interface to the different analysers so that users could customize scans by loading custom configurations or by overriding certain fields in the generated reports.

Due to the analyzer consolidation towards Semgrep as well as the integration of GitLab Advanced SAST which is also Semgrep-based, GitLab SAST converges towards a single tool so that Custom Rulesets may not be needed anymore as we are in the process of converging towards a single configuration.

This is just a discussion issue to explore future avenues and/or to figure out whether or not the Custom Rulesets feature is still useful.

Proposal

We could deprecate Custom Rulesets in favour of:

1. Usebefore_script config customization in favour of the passthrough concept.
2. Use a post-analyser to override certain fields in the gl-sast-report.json and/or to disable certain rules.

Benefit for GitLab and users/customers

1. Reduced maintenance cost for groupstatic analysis.
2. Less friction for users/solution architects because the before_script and post-analyzer approach is probably more intuitive/transparent.
3. The capabilities of Custom Rulesets are limited towards the different passthrough functions; before_script would provide more flexibility and power to users in order to fully customize GitLab (Advanced) SAST or other scanners.

Risk

This would be a breaking change.

Intended users

Personas are described at https://handbook.gitlab.com/handbook/product/personas/

• Parker (Product Manager)
• Sasha (Software Developer)

Examples: