Add PHP language support to gitlab-advanced-sast

What does this MR do and why?

This MR adds PHP file scanning to the gitlab-advanced-sast analyzer in both the regular and latest GitLab SAST templates.

• Added **/*.php to gitlab-advanced-sast file patterns, enabling PHP scanning when this analyzer is enabled
• Added PHP to semgrep-sast exclusion paths to prevent duplicate scanning when both analyzers are active
• Maintained consistent configuration across merge request and branch pipelines

Note: When users enable GLAS (gitlab-advanced-sast) for PHP scanning, they will no longer receive results from semgrep-sast for PHP files due to the exclusion paths added to prevent duplicate scanning.

References

https://gitlab.com/gitlab-org/gitlab/-/issues/523657+s

Manual QA

Before

• Project: https://gitlab.com/philipcunningham/manual-qa-glas-php-ci-template
• Pipeline: https://gitlab.com/philipcunningham/manual-qa-glas-php-ci-template/-/pipelines/1831513839

Summary

1. semgrep-sast is executed as normal.
2. gitlab-advanced-sast is not executed.

After

• Project: https://gitlab.com/philipcunningham/manual-qa-glas-php-ci-template
• Pipeline: https://gitlab.com/philipcunningham/manual-qa-glas-php-ci-template/-/pipelines/1833588190

Summary

1. semgrep-sast job now excludes PHP files via the SAST_EXCLUDED_PATHS configuration, which explicitly lists **/*.php in the exclusion pattern.
2. gitlab-advanced-sast job successfully identifies and scans PHP files, processing all .php files in the repository as shown in the target mappings.

Disabling PHP Scanning in GitLab Advanced SAST

To disable PHP scanning in GitLab Advanced SAST while enabling it in semgrep-sast, set these project-level CI/CD variables in your project settings (Settings → CI/CD → Variables):

Variable 1:

Key: FF_GLAS_ENABLE_PHP_SUPPORT
Value: false

Variable 2:

Key: SAST_EXCLUDED_PATHS
Value: spec, test, tests, tmp, **/*.py, **/*.go, **/*.java, **/*.js, **/*.jsx, **/*.ts, **/*.tsx, **/*.cjs, **/*.mjs, **/*.cs, **/*.rb

The project-level variables have higher precedence and will override the template's default behavior.

• Project: https://gitlab.com/philipcunningham/manual-qa-glas-php-ci-template
• Pipeline: https://gitlab.com/philipcunningham/manual-qa-glas-php-ci-template/-/pipelines/1833710080

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.