Semgrep Builtin Support of Community rules
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA
What does this MR do?
Brief description
Adding support for enabling additional security scans rules set for the Semgrep analyzer. This differ from SAST custom rules set as the rulesets are cumulative instead of overriding predefined rules.
Between other this enable to:
- Provide built-in support for SAST for additional languages supported by Semgrep community such as RUST which is currently only supported by user-provided custom rules.
- Support extension of GitLab Semgrep rules with custom rules without overriding predefined rules.
Detailed description
To control which set of security scans rules are used the following environment variables have been added:
| Variable | Type | Default Value | Description |
|---|---|---|---|
SAST_SEMGREP_GITLAB_RULES |
bool |
true |
Indicate whether or not to use the default GitLab Semgrep analyzer security rules (509 rules). Those rules are enabled by default. |
SAST_SEMGREP_COMMUNITY_RULES |
bool |
false |
Indicate whether or not to use the Semgrep community security rules (1208 rules). Those rules are disabled by default. Semgrep community security rules are extracted from the community rules based on the following glob pattern */*security*/*.y*ml. |
SAST_SEMGREP_CUSTOM_RULES_URL |
string |
"" |
Indicate the location of a custom Semgrep ruleset to use. The location of a custom ruleset MUST BE a valid URL with a supported scheme (see below). An error is returned if the scheme is not supported. In addition, only .yaml and yml files from the source are considered. Any other files are skipped. Finally, defining SAST_SEMGREP_CUSTOM_RULES_URL: file:///custom_rules/ is equivalent to SAST_SEMGREP_COMMUNITY_RULES: true. |
The analyzer will return an error if none of the above ruleset source is enabled. Also rulesets are cumulative. That is if both SAST_SEMGREP_GITLAB_RULES and SAST_SEMGREP_COMMUNITY_RULES are enabled, there will be 1717 rules used to perform the analysis.
For SAST_SEMGREP_CUSTOM_RULES_URL the following table describe the supported scheme.
| URL Scheme | Support Remote Location | Description |
|---|---|---|
| file | No | Specify a local directory of Semgrep rulesets. This is useful for having additional project related custom rulesets (i.e.: security non-regression SAST rules). To specify a location in a project one can set the following SAST_SEMGREP_CUSTOM_RULES_URL: file:///$CI_PROJECT_DIR/.security/SEMGREP_RULES/. If a remote location is provided, an error will be returned. |
| git | Yes | Specify a git repository including Semgrep rulesets. This is useful for having organization wide custom Semgrep rulesets while not overriding predefined rules. |
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests updated/added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by 🤖 GitLab Bot 🤖