Update SAST template to execute GitLab Advanced SAST by default

Proposal

The purpose of this issue is to invert the GITLAB_ADVANCED_SAST_ENABLED logic in the following templates:

The behavior of the gitlab-advanced-sast and semgrep-sast jobs in the above templates are changed as follows:

Old behaviour:
- By default, the gitlab-advanced-sast job is not executed.
- The gitlab-advanced-sast job can be executed if GITLAB_ADVANCED_SAST_ENABLED is set to true or 1
New behaviour in 18.0:
- By default, the gitlab-advanced-sast job is executed
- The gitlab-advanced-sast job can be disabled if GITLAB_ADVANCED_SAST_ENABLED is set to false or 0

Implementation Plan

Note: The following changes must be made to each of the following templates:

Invert the GITLAB_ADVANCED_SAST_ENABLED check in gitlab-advanced-sast rules:

This allows customers to disable GitLab Advanced SAST if it's too slow.

Click to expand diff

diff --git a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
index 59eda6976771..9b17e67b3659 100644
--- a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
@@ -59,7 +59,7 @@ gitlab-advanced-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /gitlab-advanced-sast/
       when: never
-    - if: $GITLAB_ADVANCED_SAST_ENABLED != 'true' && $GITLAB_ADVANCED_SAST_ENABLED != '1'
+    - if: $GITLAB_ADVANCED_SAST_ENABLED == 'false' || $GITLAB_ADVANCED_SAST_ENABLED == '0'
       when: never
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bsast_advanced\b/

Invert the GITLAB_ADVANCED_SAST_ENABLED conditional check in semgrep-sast rules:

This allows customers to disable GitLab Advanced SAST if it's too slow.

Click to expand diff

diff --git a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
index 59eda6976771..9b17e67b3659 100644
--- a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
@@ -179,7 +179,7 @@ semgrep-sast:
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
           $SAST_EXCLUDED_ANALYZERS !~ /gitlab-advanced-sast/ &&
-          ($GITLAB_ADVANCED_SAST_ENABLED == 'true' || $GITLAB_ADVANCED_SAST_ENABLED == '1')
+          ($GITLAB_ADVANCED_SAST_ENABLED != 'false' || $GITLAB_ADVANCED_SAST_ENABLED ! '0')
       variables:
         SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb"
       exists:
@@ -201,7 +201,7 @@ semgrep-sast:
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
           $SAST_EXCLUDED_ANALYZERS !~ /gitlab-advanced-sast/ &&
-          ($GITLAB_ADVANCED_SAST_ENABLED == 'true' || $GITLAB_ADVANCED_SAST_ENABLED == '1')
+          ($GITLAB_ADVANCED_SAST_ENABLED != 'false' || $GITLAB_ADVANCED_SAST_ENABLED ! '0')
       when: never
     - if: $CI_COMMIT_BRANCH
       exists:

Update specs broken by the above changes
Manually test changes

Note: the following MRs were created when this issue was scheduled for %18.0. These MRs have since been closed. When this issue is ready to be picked up in %19.0, rebase and merge the following MRs:

Edited May 02, 2025 by Adam Cohen