Draft: Fix disabling and overriding rules with a remote custom ruleset

What does this MR do?

This fix is based on the work from @eurie in:

• Support remote custom configuration (report!80 - merged)
• Support remote custom config (ruleset!27 - merged)
• Support remote custom configs (command!50)

To allow using a remote custom ruleset when disabling or overriding rules similar to kics!102 by ensuring to set the correct ruleset and path when generating the gl-secret-detection-report.json file.

Resolves gitlab-org/gitlab#425251.

Testing

Testing this locally requires to create a go workspace as outlined below.

1. Check out the fix-disabling-overriding-rules-with-remote-custom-ruleset branch for secrets.
2. Create a modules folder in the cloned directory.
3. In the modules folder, clone the 425730_eurie_remote_ruleset_not_applied_during_report_generation branch for command.
4. Temporarily, see note below:
   • Replace all occurrences of ruleset/v2 with ruleset/v3 in the cloned command repository.
   • Replace all occurrences of report/v4 with report/v5 in the cloned command repository.
5. In the top-level secrets directory initialize a new go workspace:
   • go work init .
   • go work use modules/command
6. Clone the test project into qa/fixtures: git@gitlab.com:gitlab-org/secure/tests/test-issue-425251/secret-detection.git.
7. Run analyzer-build && analyzer-debug qa/fixtures/secret-detection.
8. In the debug container, export the following environment variables:
   • export GITLAB_FEATURES=sast_custom_rulesets
   • export SECRET_DETECTION_RULESET_GIT_REFERENCE=gitlab.com/gitlab-org/secure/tests/test-issue-425251/ruleset
9. Run the analyzer: /analyzer run.
10. Verify that there are no results in the resulting /tmp/app/gl-secret-detection-report.json file.

Note: we are currently pointing to the latest version ruleset and report modules which include the required changes, so the steps above only require command module to be added to the go workspace, but it has to point to correct versions too.

Demo

Demo was created with only ruleset module updated to v3.

What are the relevant issue numbers?

• Security secret detection scan doesn't pick up ... (gitlab-org/gitlab#425251)

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests updated/added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer