Use CI_MERGE_REQUEST_LABELS to temporarily disable GLAS diff-based scan

Summary

We should support users to run a full scan even when they have diff-based scanning configured, as diff-based scans can result in false negatives(see details here).

A GLAS diff-based scan is enabled via the SAST_PARTIAL_SCAN CI variable(see implementation plan).

However, diff-based scanning requires MR pipeline support, and there currently doesn't seem to be a way to set custom CI variable for MR pipelines, our original plan to override the SAST_PARTIAL_SCAN variable.

As an alternative, we could use CI_MERGE_REQUEST_LABELS and let users apply a ~disable-sast-partial-scan label to disable the diff scan and trigger a full scan.

Validation

To test this out, I created a project with an MR containing a ~disable-sast-partial-scan label and added a before_script to override the SECURE_LOG_LEVEL
variable. This variable is set to debug but changes to info when the label is present. As a result, the GLAS analyzer only outputs info-level logs.

Code

include:
  - template: Jobs/SAST.gitlab-ci.yml

variables:
  GITLAB_ADVANCED_SAST_ENABLED: 'true'
  SECURE_LOG_LEVEL: debug
  AST_ENABLE_MR_PIPELINES: true

gitlab-advanced-sast:
  before_script:
    - |
      if [[ "$CI_MERGE_REQUEST_LABELS" =~ "disable-sast-partial-scan" ]]; then
        export SECURE_LOG_LEVEL=info
      fi

References

Main diff-based scanning epic: Faster Advanced SAST: Diff-based scanning in MRs (&16790 - closed)

MVC implementation epic: MVC: Enable Diff-Based Scanning in MRs for Fast... (&17758 - closed)

Implementation Plan

Add a before_script to the gitlab-advanced-sast CI job that checks for the presence of the ~disable-sast-partial-scan MR label. If present, override the SAST_PARTIAL_SCAN to be null which will trigger a full scan instead.

Edited May 28, 2025 by Thiago Figueiró