[FF] FF_GLAS_ENABLE_PHP_SUPPORT (beta) SAST rollout

Summary

This issue is to roll out PHP support in GitLab Advanced SAST on production, that is currently behind the FF_GLAS_ENABLE_PHP_SUPPORT feature flag. This is an environment environment variable feature flag that is specified in a CI template.

Note: To disable PHP scanning using GitLab Advanced SAST while enabling it in semgrep-sast, set these project-level CI/CD variables in your project settings (Settings → CI/CD → Variables):

Variable 1:

Key: FF_GLAS_ENABLE_PHP_SUPPORT
Value: false

Variable 2:

Key: SAST_EXCLUDED_PATHS
Value: spec, test, tests, tmp, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb

The project-level variables have higher precedence and will override the template's default behavior.

Owners

• Most appropriate Slack channel to reach out to: #g_ast-static-analysis
• Best individual to reach out to: @philipcunningham | @julianthome | @mtolpin

Expectations

What are we expecting to happen?

The GitLab Advanced SAST analyzer will scan PHP files.

What can go wrong and how would we detect it?

Performance degradation - inbound request for help issues.

Rollout Steps

See above.

Rollout on non-production environments

The FF template rollout steps apply specifically to GitLab Rails and do not pertain to rolling out a beta feature flag in an analyzer, as there is no formalized process for that.

Specific rollout on production

See above.

Preparation before global rollout

• Merge Add PHP language support to gitlab-advanced-sast (!185133 - merged) • Julian Thome, Philip Cunningham • 18.1
• Merge Add PHP language support to gitlab-advanced-sast (components/sast!21 - merged) • Julian Thome, Philip Cunningham
• Set a milestone to this rollout issue to signal for enabling and removing the feature flag when it is stable.
• Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does.
• Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall Slack alias.
• Ensure that documentation exists for the feature, and the version history text has been updated.
• Ensure that any breaking changes have been announced following the release post process to ensure GitLab customers are aware.
• Notify the #support_gitlab-com Slack channel and your team channel (more guidance when this is necessary in the dev docs). (Slack link)

Global rollout on production

See above.

Release the feature

See above.

Rollback Steps

Disable FF_GLAS_ENABLE_PHP_SUPPORT in the SAST templates.