Ruleset customization with default configuration for Semgrep

What does this MR do?

Use the new API provided by the ruleset package to use and expand the default SAST configuration. The MR dependencies are illustrated below.

• 1️⃣ ruleset module Adding keepdefaultrules option by means of a di... (ruleset!59 - merged) • Julian Thome • 18.5 (Adding support for keepdefaultrules)
  • 2️⃣ Semgrep MR (this MR) Ruleset customization with default configuratio... (!630 - merged) • Julian Thome • 18.5
• 3️⃣ ruleset module Execute passthroughs selectively through Proces... (ruleset!62 - merged) • Julian Thome • 18.5 (Adding support for selective passthrough application)
  • 4️⃣ GLAS MR https://gitlab.com/gitlab-org/security-products/analyzers/gitlab-advanced-sast/-/merge_requests/218+s

What are the relevant issue numbers?

1. Implement passthrough filtering in the ruleset ... (gitlab-org/gitlab#569182 - closed) • Julian Thome • 18.5 • On track
2. Allow SAST custom rules to be appended to rathe... (gitlab-org/gitlab#426406 - closed) • Julian Thome • 18.5 • On track

Test project

https://gitlab.com/julianthome/keepdefaultconfig

1. main branch custom rule + standard rules enabled with keepdefaultrules = true
2. Overrides only: Configurations without keepdefaultrules = true and without passhtroughs (only overrides) https://gitlab.com/julianthome/keepdefaultconfig/-/merge_requests/2+s and https://gitlab.com/julianthome/keepdefaultconfig/-/merge_requests/1+s. The resulting reports are identical (backwards compatible behaviour).
3. A configuration with keepdefaultrules=false that includes overrides and passthroughs which behaves the same as the standard semgrep configuration https://gitlab.com/julianthome/keepdefaultconfig/-/merge_requests/4+s.

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests updated/added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer