Skip to content

Discuss configuration options that enable users to add new SAST rules to GLAS

Problem to solve

For GitLab SAST, we currently support ruleset customization by means of a dedicated configuration file .gitlab/sast-ruleset.toml.

GitLab SAST and GLAS have different levels of support for ruleset customization.

Disabling rules is supported by GitLab SAST and GLAS; however, while GitLab SAST filters out findings yielded by disabled rules after the scan, GLAS does this before the scan takes place.

Passthrough are only supported by GitLab SAST. Neither GitLab SAST nor GLAS support an easy way to add rules to the standard configuration.

header GitLab SAST GLAS
Disable Rules X (post-filter) X (pre-filter)
Passthroughs X -
Rule additions - -

Adding rules to the existing ones is difficult at the moment because our current passthrough mechanism overwrites the target directory which forces us to copy every single rule file to the intended destination which is illustrated in Allow SAST custom rules to be appended to rathe... (#426406 - closed) • Julian Thome • 18.5 • On track. The names of these rule-files has to be known before the scan takes place which is not the case for GLAS where the rule filenames are unknown before the scan takes place.

Implementation plan proposal

  1. Add an option keep_default_config to .gitlab/sast-rules.toml (default is false) that controls whether or not the default config should be kept. keep_default_config is only relevant for GLAS and semgrep; for all the other analyzers it would not have an effect.
  2. Run a static check on .gitlab/sast-rules.toml. For GLAS we can permit the use of file passthroughs only and ignore or error for cases where passthroughs other than file are used. We'll make the option of error<>warning configurable.
  3. Run a static check on customer-provided rules to ensure that they are pattern-based (no taint rules).
[gitlab-advanced-sast]
  description = "My custom ruleset for Semgrep"
  keep_default_config = true
  
  [[gitlab-advanced-sast.passthrough]]
    type  = "file"
    value = "my-pattern-rule1.yml"

  [[gitlab-advanced-sast.passthrough]]
    type  = "file"
    value = "my-pattern-rule2.yml"

This solution would enable us to support ruleset customisation for GLAS and to tackle Allow SAST custom rules to be appended to rathe... (#426406 - closed) • Julian Thome • 18.5 • On track.

As discussed in this thread we can generate a combined ruleset and then run it in GLAS.

Edited by Julian Thome