Fix bug that causes semgrep to scan GLAS vulns

Shao Ming Tanrequested to merge
smtan/update-sast-ci-template-sep-bug into master

What does this MR do and why?

Fixes the bug In Scan Execution Policies, Semgrep also scans ... (#479820 - closed), specific details of this bug can be found here.

Introduce a new SAST_SEMGREP_EXCLUDED_PATHS CI variable that is merged with SAST_EXCLUDED_PATHS in the Semgrep analyzer with this MR SEP default overriding custom SAST_EXCLUDED_PAT... (gitlab-org/security-products/analyzers/semgrep!615 - merged)

Added steps to remove the customized SAST_EXCLUDED_PATHS in the next major release tracked with this issue Remove SAST_EXCLUDED_PATHS from SAST CI template (#562940)

References

In Scan Execution Policies, Semgrep also scans ... (#479820 - closed)

How to set up and validate locally

  1. Reference this project that contains swift(to be scanned by Semgrep) and python(to be scanned by GLAS) vuln files.
  2. Use temp semgrep analyzer released via this MR that merges SAST_SEMGREP_EXCLUDED_PATHS and SAST_EXCLUDED_PATHS.
  3. Since we can't pass a custom SAST CI template to SEP, we can only simulate the resulting CI file. In this case, since SEP does not default SAST_SEMGREP_EXCLUDED_PATHS we can safely set the value in a local CI file, reference file.
  4. Verify that the Semgrep job only reports swift vulns and not python vulns.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Shao Ming Tan

Merge request reports