Update CI jobs that only trigger when file have changed (!521) · Merge requests · GitLab.org / security-products / sast-rules

Craig Smith requested to merge craigmsmith-compare-changes-to-head into main Apr 10, 2024

What does this MR do?

The CI jobs that include:

rulecheck-yaml-extensions:
  ...
  rules:
    - changes:
      - "{c,csharp,go,java,javascript,python,rules,scala}/**/*"

only run for the commit that one of those files is changed for. For example, if for an MR a rule is changed in one commit, then subsequently the changelog is updated, the subsequent commit won't trigger the rulecheck-yaml-extensions. This can cause confusion.

This MR updates the CI jobs with change rules so that those jobs run whenever the MRs pipeline runs, if the MR changes any of the relevant files.

What are the relevant issue numbers?

Does this MR meet the acceptance criteria?

The test cases cover both positive and negative cases and are also annotated with appropriate semgrep annotations:
- For positive cases: // ruleid: ...
- For negative cases: // ok: ....
Following metadata fields exist for the rule(s) added/updated in this MR:
- owasp with both 2017 and 2021 mappings.
- category: "security"
- cwe
- shortDescription
- security-severity
The message field is valid and contains a secure code example.
Applicable license is mentioned in the rule if embedded/taken from external source.
Relevant labels including workflow labels are appropriately selected.

Edited Apr 10, 2024 by Craig Smith

Update CI jobs that only trigger when file have changed

What does this MR do?

What are the relevant issue numbers?

Does this MR meet the acceptance criteria?

Merge request reports