Allow passing custom CLI options
What does this MR do?
There is currently no way to customize Semgrep CLI if for example you need to exclude specific directories from being scanned. For instance, at r2c, we have large __test_data__
directories that slow SAST scans down a lot unless excluded from scanning.
This MR lets people pass arbitrary flags via an environment variable. For our case, this'd look like
semgrep-sast:
variables:
SAST_SEMGREP_EXTRA_ARGS: "--exclude=__test_data__"
Another flag of interest is --config
which can be added multiple times to run more rules.
If this is something that'd get accepted, we should consider doing the following:
-
Add documentation (but maybe this should launch as a hidden, advanced feature?) -
Add a QA test case which passes --exclude
-
Maybe reimplement by exposing flags of interest one by one?
What are the relevant issue numbers?
N/A
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer