From ceee8ff17d4e938ecab2aa0d3e7b74371130705e Mon Sep 17 00:00:00 2001
From: Meir Benayoun <mbenayoun@gitlab.com>
Date: Tue, 30 Jul 2024 23:28:29 +0300
Subject: [PATCH 1/9] Revert "Revert changes in stable template"

This reverts commit b70495596aaedd2738c95c81b8d8acb212c83009.
---
 .../processor_spec.rb                         |  6 +-
 .../ci/templates/sast_gitlab_ci_yaml_spec.rb  | 72 +++++++++++++++++++
 .../ci_action/template_spec.rb                |  4 +-
 .../ci/templates/Jobs/SAST.gitlab-ci.yml      | 66 ++++++++++++++++-
 .../sast_parser_service_spec.rb               |  7 +-
 5 files changed, 145 insertions(+), 10 deletions(-)

diff --git a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
index 3eeeb7ea15f66fdf..583616e7e2519ced 100644
--- a/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
+++ b/ee/spec/lib/gitlab/ci/config/security_orchestration_policies/processor_spec.rb
@@ -361,6 +361,8 @@
                     '**/*.jsx',
                     '**/*.ts',
                     '**/*.tsx',
+                    '**/*.cjs',
+                    '**/*.mjs',
                     '**/*.c',
                     '**/*.cc',
                     '**/*.cpp',
@@ -378,9 +380,7 @@
                     '**/*.swift',
                     '**/*.m',
                     '**/*.rb',
-                    '**/*.kt',
-                    '**/*.cjs',
-                    '**/*.mjs'
+                    '**/*.kt'
                   ] }
               ]
             )
diff --git a/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb b/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
index a5d06febbdfa3203..e48451d26d097d11 100644
--- a/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
@@ -48,6 +48,10 @@
       end
 
       context 'by default' do
+        it "doesn't include gitlab-advanced-sast" do
+          expect(build_names).not_to include('gitlab-advanced-sast')
+        end
+
         describe 'language detection' do
           using RSpec::Parameterized::TableSyntax
 
@@ -89,5 +93,73 @@
         end
       end
     end
+
+    context 'when project has Ultimate license' do
+      let(:license) { build(:license, plan: License::ULTIMATE_PLAN) }
+
+      before do
+        allow(License).to receive(:current).and_return(license)
+      end
+
+      context 'when GITLAB_ADVANCED_SAST_ENABLED is not set' do
+        it "doesn't include gitlab-advanced-sast" do
+          expect(build_names).not_to include('gitlab-advanced-sast')
+        end
+      end
+
+      context 'when GITLAB_ADVANCED_SAST_ENABLED="false"' do
+        before do
+          create(:ci_variable, project: project, key: 'GITLAB_ADVANCED_SAST_ENABLED', value: 'false')
+        end
+
+        it "doesn't include gitlab-advanced-sast" do
+          expect(build_names).not_to include('gitlab-advanced-sast')
+        end
+      end
+
+      describe 'language detection' do
+        using RSpec::Parameterized::TableSyntax
+
+        where(:case_name, :files, :variables, :jobs) do
+          'Golang with advanced SAST'              | { 'main.go' => '' }          | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' }                 | %w[gitlab-advanced-sast]
+          'Java with advanced SAST'                | { 'app.java' => '' }         | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' }                 | %w[gitlab-advanced-sast]
+          'Python with advanced SAST'              | { 'app.js' => '' }           | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' }                 | %w[gitlab-advanced-sast]
+          'Javascript with advanced SAST'          | { 'app.cs' => '' }           | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' }                 | %w[gitlab-advanced-sast]
+          'C# with advanced SAST'                  | { 'app.py' => '' }           | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' }                 | %w[gitlab-advanced-sast]
+          'Ruby with advanced SAST'                | { 'config/routes.rb' => '' } | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' }                 | %w[semgrep-sast]
+          'Python and Ruby with advanced SAST'     | { 'app.py' => '', 'config/routes.rb' => '' } | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' } | %w[gitlab-advanced-sast semgrep-sast]
+          'Golang without advanced SAST'           | { 'main.go' => '' }          | {}                                                           | %w[semgrep-sast]
+          'Golang with disabled advanced SAST'     | { 'main.go' => '' }          | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'false' }                | %w[semgrep-sast]
+          'Java with disabled advanced SAST'       | { 'app.java' => '' }         | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'false' }                | %w[semgrep-sast]
+          'Python with disabled advanced SAST'     | { 'app.py' => '' }           | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'false' }                | %w[semgrep-sast]
+          'Ruby with disabled advanced SAST'       | { 'config/routes.rb' => '' } | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'false' }                | %w[semgrep-sast]
+          'Javascript with disabled advanced SAST' | { 'app.js' => '' }           | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'false' }                | %w[semgrep-sast]
+          'C# with disabled advanced SAST'         | { 'app.cs' => '' } | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'false' }                          | %w[semgrep-sast]
+        end
+
+        with_them do
+          before do
+            variables.each do |(key, value)|
+              create(:ci_variable, project: project, key: key, value: value)
+            end
+          end
+
+          it_behaves_like 'acts as branch pipeline', params[:jobs]
+
+          it 'excludes already-covered extensions when both gitlab-advanced-sast and semgrep-sast run' do
+            gitlab_advanced_sast_extensions = %w[.py .go .java .js .jsx .ts .tsx .cjs .mjs .cs]
+
+            if build_names.include?('gitlab-advanced-sast') && build_names.include?('semgrep-sast')
+              # expect the variable SAST_EXCLUDED_PATHS of semgrep-sast to contain the list of extensions supported by gitlab-advanced-sast
+              variables = pipeline.builds.find_by(name: 'semgrep-sast').variables
+              sast_excluded_paths = variables.find { |v| v.key == 'SAST_EXCLUDED_PATHS' }.value
+              gitlab_advanced_sast_extensions.each do |ext|
+                expect(sast_excluded_paths).to include("**/*#{ext}")
+              end
+            end
+          end
+        end
+      end
+    end
   end
 end
diff --git a/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb b/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb
index 440f7b619333a73c..c411301d510ecc7e 100644
--- a/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb
+++ b/ee/spec/services/security/security_orchestration_policies/ci_action/template_spec.rb
@@ -217,6 +217,7 @@
             :"eslint-sast-0",
             :"flawfinder-sast-0",
             :"kubesec-sast-0",
+            :"gitlab-advanced-sast-0",
             :"gosec-sast-0",
             :"mobsf-android-sast-0",
             :"mobsf-ios-sast-0",
@@ -234,7 +235,8 @@
             'SECURE_ANALYZERS_PREFIX' => '$CI_TEMPLATE_REGISTRY_HOST/security-products',
             'SAST_IMAGE_SUFFIX' => '',
             'SAST_EXCLUDED_ANALYZERS' => '',
-            'SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp',
+            'DEFAULT_SAST_EXCLUDED_PATHS' => 'spec, test, tests, tmp',
+            'SAST_EXCLUDED_PATHS' => '$DEFAULT_SAST_EXCLUDED_PATHS',
             'SCAN_KUBERNETES_MANIFESTS' => 'false'
           }
 
diff --git a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
index 2ec4e8f2013082dd..e6ff49b8e780ccf8 100644
--- a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
@@ -10,7 +10,8 @@ variables:
   SAST_IMAGE_SUFFIX: ""
 
   SAST_EXCLUDED_ANALYZERS: ""
-  SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
+  DEFAULT_SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
+  SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS"
   SCAN_KUBERNETES_MANIFESTS: "false"
 
 sast:
@@ -44,6 +45,36 @@ sast:
   rules:
     - when: never
 
+
+gitlab-advanced-sast:
+  extends: .sast-analyzer
+  image:
+    name: "$SAST_ANALYZER_IMAGE"
+  variables:
+    SEARCH_MAX_DEPTH: 20
+    SAST_ANALYZER_IMAGE_TAG: '0'
+    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gitlab-advanced-sast:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
+  rules:
+    - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
+      when: never
+    - if: $SAST_EXCLUDED_ANALYZERS =~ /gitlab-advanced-sast/
+      when: never
+    - if: $GITLAB_ADVANCED_SAST_ENABLED != 'true' && $GITLAB_ADVANCED_SAST_ENABLED != '1'
+      when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/
+      exists:
+        - '**/*.py'
+        - '**/*.go'
+        - '**/*.java'
+        - '**/*.js'
+        - '**/*.jsx'
+        - '**/*.ts'
+        - '**/*.tsx'
+        - '**/*.cjs'
+        - '**/*.mjs'
+        - '**/*.cs'
+
 bandit-sast:
   extends: .sast-analyzer
   script:
@@ -142,6 +173,35 @@ semgrep-sast:
       when: never
     - if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/
       when: never
+    # In case gitlab-advanced-sast also runs, exclude files already scanned by gitlab-advanced-sast
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
+          $SAST_EXCLUDED_ANALYZERS !~ /gitlab-advanced-sast/ &&
+          ($GITLAB_ADVANCED_SAST_ENABLED == 'true' || $GITLAB_ADVANCED_SAST_ENABLED == '1')
+      variables:
+        SAST_EXCLUDED_PATHS: "$DEFAULT_SAST_EXCLUDED_PATHS, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs"
+      exists:
+        - '**/*.c'
+        - '**/*.cc'
+        - '**/*.cpp'
+        - '**/*.c++'
+        - '**/*.cp'
+        - '**/*.cxx'
+        - '**/*.h'
+        - '**/*.hpp'
+        - '**/*.scala'
+        - '**/*.sc'
+        - '**/*.php'
+        - '**/*.swift'
+        - '**/*.m'
+        - '**/*.rb'
+        - '**/*.kt'
+    ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
+    - if: $CI_COMMIT_BRANCH &&
+          $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
+          $SAST_EXCLUDED_ANALYZERS !~ /gitlab-advanced-sast/ &&
+          ($GITLAB_ADVANCED_SAST_ENABLED == 'true' || $GITLAB_ADVANCED_SAST_ENABLED == '1')
+      when: never
     - if: $CI_COMMIT_BRANCH
       exists:
         - '**/*.py'
@@ -149,6 +209,8 @@ semgrep-sast:
         - '**/*.jsx'
         - '**/*.ts'
         - '**/*.tsx'
+        - '**/*.cjs'
+        - '**/*.mjs'
         - '**/*.c'
         - '**/*.cc'
         - '**/*.cpp'
@@ -167,8 +229,6 @@ semgrep-sast:
         - '**/*.m'
         - '**/*.rb'
         - '**/*.kt'
-        - '**/*.cjs'
-        - '**/*.mjs'
 
 sobelow-sast:
   extends: .sast-analyzer
diff --git a/spec/services/security/ci_configuration/sast_parser_service_spec.rb b/spec/services/security/ci_configuration/sast_parser_service_spec.rb
index 051bbcd194b53561..517f92bac0b04e44 100644
--- a/spec/services/security/ci_configuration/sast_parser_service_spec.rb
+++ b/spec/services/security/ci_configuration/sast_parser_service_spec.rb
@@ -17,8 +17,9 @@
     let(:secure_analyzers_prefix) { '$CI_TEMPLATE_REGISTRY_HOST/security-products' }
 
     it 'parses the configuration for SAST' do
+      print(configuration)
       expect(secure_analyzers['default_value']).to eql(secure_analyzers_prefix)
-      expect(sast_excluded_paths['default_value']).to eql('spec, test, tests, tmp')
+      expect(sast_excluded_paths['default_value']).to eql('$DEFAULT_SAST_EXCLUDED_PATHS')
       expect(sast_pipeline_stage['default_value']).to eql('test')
       expect(sast_search_max_depth['default_value']).to eql('4')
       expect(brakeman['enabled']).to be(true)
@@ -52,7 +53,7 @@
         it 'populates the current values with the default values' do
           allow(project.repository).to receive(:blob_data_at).and_return(nil)
           expect(secure_analyzers['value']).to eql(secure_analyzers_prefix)
-          expect(sast_excluded_paths['value']).to eql('spec, test, tests, tmp')
+          expect(sast_excluded_paths['value']).to eql('$DEFAULT_SAST_EXCLUDED_PATHS')
           expect(sast_pipeline_stage['value']).to eql('test')
           expect(sast_search_max_depth['value']).to eql('4')
           expect(brakeman['enabled']).to be(true)
@@ -69,7 +70,7 @@
 
         it 'populates the current values with the default values' do
           expect(secure_analyzers['value']).to eql(secure_analyzers_prefix)
-          expect(sast_excluded_paths['value']).to eql('spec, test, tests, tmp')
+          expect(sast_excluded_paths['value']).to eql('$DEFAULT_SAST_EXCLUDED_PATHS')
           expect(sast_pipeline_stage['value']).to eql('test')
           expect(sast_search_max_depth['value']).to eql('4')
           expect(brakeman['enabled']).to be(true)
-- 
GitLab


From 3a253397c66bb5f2527b0c2f66bb9740238121ea Mon Sep 17 00:00:00 2001
From: Meir Benayoun <mbenayoun@gitlab.com>
Date: Wed, 31 Jul 2024 11:29:08 +0300
Subject: [PATCH 2/9] Remove redundant test

---
 .../ci/templates/sast_gitlab_ci_yaml_spec.rb     | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb b/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
index e48451d26d097d11..b4428df6e84481ee 100644
--- a/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
@@ -101,22 +101,6 @@
         allow(License).to receive(:current).and_return(license)
       end
 
-      context 'when GITLAB_ADVANCED_SAST_ENABLED is not set' do
-        it "doesn't include gitlab-advanced-sast" do
-          expect(build_names).not_to include('gitlab-advanced-sast')
-        end
-      end
-
-      context 'when GITLAB_ADVANCED_SAST_ENABLED="false"' do
-        before do
-          create(:ci_variable, project: project, key: 'GITLAB_ADVANCED_SAST_ENABLED', value: 'false')
-        end
-
-        it "doesn't include gitlab-advanced-sast" do
-          expect(build_names).not_to include('gitlab-advanced-sast')
-        end
-      end
-
       describe 'language detection' do
         using RSpec::Parameterized::TableSyntax
 
-- 
GitLab


From de629be506821099e9033b6ef765ff3e52c80d73 Mon Sep 17 00:00:00 2001
From: Meir Benayoun <mbenayoun@gitlab.com>
Date: Wed, 31 Jul 2024 11:33:32 +0300
Subject: [PATCH 3/9] Remove redundant test

---
 ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb b/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
index b4428df6e84481ee..f244be6d4ac40dc5 100644
--- a/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
@@ -48,10 +48,6 @@
       end
 
       context 'by default' do
-        it "doesn't include gitlab-advanced-sast" do
-          expect(build_names).not_to include('gitlab-advanced-sast')
-        end
-
         describe 'language detection' do
           using RSpec::Parameterized::TableSyntax
 
-- 
GitLab


From 6ceb74edaedd66a2150c2b77786a69cd63c9015b Mon Sep 17 00:00:00 2001
From: Meir Benayoun <mbenayoun@gitlab.com>
Date: Wed, 31 Jul 2024 19:03:52 +0300
Subject: [PATCH 4/9] Bump GitLab Advanced SAST analyzer to v1

---
 lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
index e6ff49b8e780ccf8..718c9c74161f02b5 100644
--- a/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
@@ -52,7 +52,7 @@ gitlab-advanced-sast:
     name: "$SAST_ANALYZER_IMAGE"
   variables:
     SEARCH_MAX_DEPTH: 20
-    SAST_ANALYZER_IMAGE_TAG: '0'
+    SAST_ANALYZER_IMAGE_TAG: '1'
     SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gitlab-advanced-sast:$SAST_ANALYZER_IMAGE_TAG$SAST_IMAGE_SUFFIX"
   rules:
     - if: $SAST_DISABLED == 'true' || $SAST_DISABLED == '1'
-- 
GitLab


From dec3f5e2c5ac76568a5cf1b028f728f0523247f1 Mon Sep 17 00:00:00 2001
From: Meir Benayoun <mbenayoun@gitlab.com>
Date: Thu, 1 Aug 2024 00:18:36 +0300
Subject: [PATCH 5/9] Fix tests titles

---
 ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb b/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
index f244be6d4ac40dc5..746da0673c6ba673 100644
--- a/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
@@ -103,9 +103,9 @@
         where(:case_name, :files, :variables, :jobs) do
           'Golang with advanced SAST'              | { 'main.go' => '' }          | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' }                 | %w[gitlab-advanced-sast]
           'Java with advanced SAST'                | { 'app.java' => '' }         | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' }                 | %w[gitlab-advanced-sast]
-          'Python with advanced SAST'              | { 'app.js' => '' }           | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' }                 | %w[gitlab-advanced-sast]
-          'Javascript with advanced SAST'          | { 'app.cs' => '' }           | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' }                 | %w[gitlab-advanced-sast]
-          'C# with advanced SAST'                  | { 'app.py' => '' }           | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' }                 | %w[gitlab-advanced-sast]
+          'Javascript with advanced SAST'          | { 'app.js' => '' }           | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' }                 | %w[gitlab-advanced-sast]
+          'C# with advanced SAST'                  | { 'app.cs' => '' }           | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' }                 | %w[gitlab-advanced-sast]
+          'Python with advanced SAST'              | { 'app.py' => '' }           | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' }                 | %w[gitlab-advanced-sast]
           'Ruby with advanced SAST'                | { 'config/routes.rb' => '' } | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' }                 | %w[semgrep-sast]
           'Python and Ruby with advanced SAST'     | { 'app.py' => '', 'config/routes.rb' => '' } | { 'GITLAB_ADVANCED_SAST_ENABLED' => 'true' } | %w[gitlab-advanced-sast semgrep-sast]
           'Golang without advanced SAST'           | { 'main.go' => '' }          | {}                                                           | %w[semgrep-sast]
-- 
GitLab


From b79fd9bd88c6e47b0e9b9fbe0f7993d2dc6ff0c5 Mon Sep 17 00:00:00 2001
From: Meir Benayoun <mbenayoun@gitlab.com>
Date: Fri, 2 Aug 2024 18:34:40 +0300
Subject: [PATCH 6/9] Update the documentation

---
 doc/user/application_security/sast/gitlab_advanced_sast.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/user/application_security/sast/gitlab_advanced_sast.md b/doc/user/application_security/sast/gitlab_advanced_sast.md
index 22c36fc783efbd8e..2dd72a58562e44dd 100644
--- a/doc/user/application_security/sast/gitlab_advanced_sast.md
+++ b/doc/user/application_security/sast/gitlab_advanced_sast.md
@@ -77,7 +77,7 @@ To enable the Advanced SAST analyzer:
 1. Select **Build > Pipeline editor**.
 1. If no `.gitlab-ci.yml` file exists, select **Configure pipeline**, then delete the example
    content.
-1. Include the latest SAST template `Jobs/SAST.latest.gitlab-ci.yml` (if not already done).
+1. Include a SAST template (if not already done), either `Jobs/SAST.gitlab-ci.yml` or `Jobs/SAST.latest.gitlab-ci.yml`.
    **Note:** The `latest` templates can receive breaking changes in any release.
 1. Set the CI/CD variable `GITLAB_ADVANCED_SAST_ENABLED` to `true`.
 
-- 
GitLab


From f7caabb81a4c82e0af57592ebad6ed8ffd507930 Mon Sep 17 00:00:00 2001
From: Meir Benayoun <mbenayoun@gitlab.com>
Date: Sun, 4 Aug 2024 22:46:11 +0300
Subject: [PATCH 7/9] Fix the example YAML template in the documentation

---
 .../sast/gitlab_advanced_sast.md                     | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/doc/user/application_security/sast/gitlab_advanced_sast.md b/doc/user/application_security/sast/gitlab_advanced_sast.md
index 2dd72a58562e44dd..724655c1d4013bf5 100644
--- a/doc/user/application_security/sast/gitlab_advanced_sast.md
+++ b/doc/user/application_security/sast/gitlab_advanced_sast.md
@@ -83,13 +83,13 @@ To enable the Advanced SAST analyzer:
 
 Here is a minimal YAML file for enabling GitLab Advanced SAST:
 
-  ```yaml
-  include:
-    - template: Jobs/SAST.latest.gitlab-ci.yml
+```yaml
+include:
+   - template: Jobs/SAST.gitlab-ci.yml
 
-  variables:
-    GITLAB_ADVANCED_SAST_ENABLED: 'true'
-  ```
+variables:
+   GITLAB_ADVANCED_SAST_ENABLED: 'true'
+```
 
 1. Select the **Validate** tab, then select **Validate pipeline**.
 
-- 
GitLab


From 27e8b5d346e5a6d1187a668bf45c4d63853b5a63 Mon Sep 17 00:00:00 2001
From: Meir Benayoun <mbenayoun@gitlab.com>
Date: Mon, 5 Aug 2024 06:34:08 +0000
Subject: [PATCH 8/9] Apply 1 suggestion(s) to 1 file(s)

Co-authored-by: Russell Dickenson <rdickenson@gitlab.com>
---
 doc/user/application_security/sast/gitlab_advanced_sast.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/user/application_security/sast/gitlab_advanced_sast.md b/doc/user/application_security/sast/gitlab_advanced_sast.md
index 724655c1d4013bf5..a12d6710ad2d8f30 100644
--- a/doc/user/application_security/sast/gitlab_advanced_sast.md
+++ b/doc/user/application_security/sast/gitlab_advanced_sast.md
@@ -85,10 +85,10 @@ Here is a minimal YAML file for enabling GitLab Advanced SAST:
 
 ```yaml
 include:
-   - template: Jobs/SAST.gitlab-ci.yml
+  - template: Jobs/SAST.gitlab-ci.yml
 
 variables:
-   GITLAB_ADVANCED_SAST_ENABLED: 'true'
+  GITLAB_ADVANCED_SAST_ENABLED: 'true'
 ```
 
 1. Select the **Validate** tab, then select **Validate pipeline**.
-- 
GitLab


From 311aa2443ee3955c22ce977177989a528f52590b Mon Sep 17 00:00:00 2001
From: Meir Benayoun <mbenayoun@gitlab.com>
Date: Mon, 5 Aug 2024 12:55:12 +0000
Subject: [PATCH 9/9] Apply 1 suggestion(s) to 1 file(s)

---
 .../security/ci_configuration/sast_parser_service_spec.rb        | 1 -
 1 file changed, 1 deletion(-)

diff --git a/spec/services/security/ci_configuration/sast_parser_service_spec.rb b/spec/services/security/ci_configuration/sast_parser_service_spec.rb
index 517f92bac0b04e44..93399d3aa4cfe227 100644
--- a/spec/services/security/ci_configuration/sast_parser_service_spec.rb
+++ b/spec/services/security/ci_configuration/sast_parser_service_spec.rb
@@ -17,7 +17,6 @@
     let(:secure_analyzers_prefix) { '$CI_TEMPLATE_REGISTRY_HOST/security-products' }
 
     it 'parses the configuration for SAST' do
-      print(configuration)
       expect(secure_analyzers['default_value']).to eql(secure_analyzers_prefix)
       expect(sast_excluded_paths['default_value']).to eql('$DEFAULT_SAST_EXCLUDED_PATHS')
       expect(sast_pipeline_stage['default_value']).to eql('test')
-- 
GitLab