Support Shell SAST Scanning
Problem to solve
Many repositories have shell scripts, even if a project is not a shell-base project. Shell scripts can have incredible power as they are run directly on the server often with elevated permission. Writing shell scripts that are secure and linted is especially important.
Since the shell scripts are often hacked together and outside the typical development SDLC, adding a shell SAST scanner will help catch coding errors and potential vulnerabilities.
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst) Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/ -->
A handful of open source scanners are available that may be able to be wrapped.
Those tools need to be evaluated for technical and legal compatibility with GitLab.
GitLab recommends shellcheck as part of any pipeline for a project that has shell scripts. https://docs.gitlab.com/ee/development/shell_scripting_guide/index.html
Once the availability of a shell SAST scanner is available, GitLab can update its shell scripting guide to use the SAST scanner.
Wrap an existing shell scanner tool.
Permissions and Security
The SAST scanner page will need to be updated. https://docs.gitlab.com/ee/user/application_security/sast/ and the shell scripting guide will need to be updated https://docs.gitlab.com/ee/development/shell_scripting_guide/index.html
A sample shell project will need to be created to test the SAST scanner.
What does success look like, and how can we measure that?
Usage pings on a shell SAST scanner will show that the scanner is actively being used.