Feature/sast rules
What does this MR do?
This MR removes the /rules directory and /semgrep_rules_check directory, and updates the Dockerfile and Dockerfile.fips to pull in the latest semgrep rules from the sast-rules repo. sast-rules is the single source of truth for semgrep rules for the semgrep analyzer.
Couple of things to note:
- Semgrep rules are tested in the sast-rules repo in a few different ways. This should alleviate any qualms one might have about removing the
/semgrep_rulesdirectory.- the
semgrep_rules_checkjob - the
gapanalysisjob which kicks off a suite of downstream tests.
- the
- Some of the finding descriptions contain multiple previously removed new lines. These could be removed in
sast-rulesor removed in the analyzer. I don't have a strong opinion on this either way. - I added a semgrep_rules_version_check job to make sure the semgrep rules version remains consistent between Dockerfile and Dockerfile.fips
What are the relevant issue numbers?
gitlab-org/gitlab#321184 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Zach Rice