Make it easier to understand how to write SAST/secrets override rules
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
I'm helping a customer with customizing severity on some scanner rules, which they haven't succeeded in doing on their own. Here's one of the stumbling blocks I've run into:
Documentation for Secrets Scanner says how to override rules: https://docs.gitlab.com/user/application_security/secret_detection/pipeline/configure/#override-a-rule
That documentation says the configuration must specify:
A type field for the predefined rule identifier.
A value field for the rule name.But I am not able to locate anywhere in the documentation page that says what "type" and "value" actually are or how to get them. Conferring with the secrets scanning team, I found out that these values can be found in the JSON report produced by the scanner. But, "type" is not displayed anywhere in the vulnerability dashboard or vulnerability page, and "value" is called "ID" in the vulnerability display.
We should:
- Improve the vulnerability dashboard to display the type and value for a rule as part of the vulnerability detail view, and we should address how we name it for consistency. Either call the rule ID "value" in the dashboard view, or use "ID" as the key in configuration files instead of "value." Right now we are calling the same thing two different names which is adding to the difficulty in using these.
- Improve the documentation to clearly state how you can find the correct values for "type" and "value"
The SAST documentation is similar overall, but does add a sentence explaining that you can find the correct type and value by looking at the report JSON file. Just copying that language to the pipeline secrets scanner docs would be a quick win, but I would really like to see this info in the vulnerability view. Having users download the JSON file to look at it isn't very ergonomic, especially since we seem to "hide" these artifacts in several places so it's not easy to figure out how to download them (they are not displayed for download when looking at the job or pipeline job list, only when looking at the pipeline list).