Default for SAST_EXCLUDED_PATHS, DS_EXCLUDED_PATHS

Set default values for SAST_EXCLUDED_PATHS, DS_EXCLUDED_PATHS.
These are aligned with SEARCH_IGNORED_DIRS used by the detection logic,
in the common/search package.

See https://gitlab.com/gitlab-org/gitlab/-/issues/220014

changelogs/unreleased/220014-default-for-SAST_EXCLUDED_PATHS-DS_EXCLUDED_PATHS.yml

+---
+title: Set default values for SAST_EXCLUDED_PATHS and DS_EXCLUDED_PATHS
+merge_request: 34076
+author:
+type: changed

doc/user/application_security/dependency_scanning/index.md

@@ -155,7 +155,7 @@ The following variables allow configuration of global dependency scanning settin
 | `DS_DEFAULT_ANALYZERS`                  | Override the names of the official default images. Read more about [customizing analyzers](analyzers.md). |
 | `DS_DISABLE_DIND`                       | Disable Docker-in-Docker and run analyzers [individually](#enabling-docker-in-docker). This variable is `true` by default. |
 | `ADDITIONAL_CA_CERT_BUNDLE`             | Bundle of CA certs to trust. |
-| `DS_EXCLUDED_PATHS`                     | Exclude vulnerabilities from output based on the paths. A comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec`). Parent directories also match patterns. |
+| `DS_EXCLUDED_PATHS`                     | Exclude vulnerabilities from output based on the paths. A comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec`). Parent directories also match patterns. Default: `"spec, test, tests, tmp"` |
 
 #### Configuring Docker-in-Docker orchestrator
 

doc/user/application_security/sast/index.md

@@ -288,7 +288,7 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre
 
 | Environment variable    | Default value | Description |
 |-------------------------|---------------|-------------|
-| `SAST_EXCLUDED_PATHS`         | -   | Exclude vulnerabilities from output based on the paths. This is a comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec` ). Parent directories will also match patterns. |
+| `SAST_EXCLUDED_PATHS`         | `spec, test, tests, tmp` | Exclude vulnerabilities from output based on the paths. This is a comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec` ). Parent directories will also match patterns. |
 | `SAST_BANDIT_EXCLUDED_PATHS`  | -   | comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*'` |
 | `SAST_BRAKEMAN_LEVEL`   |         1 | Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low 3=High. |
 | `SAST_FLAWFINDER_LEVEL` |         1 | Ignore Flawfinder vulnerabilities under given risk level. Integer, 0=No risk, 5=High risk. |

lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml

@@ -13,6 +13,7 @@ variables:
   DS_ANALYZER_IMAGE_PREFIX: "$SECURE_ANALYZERS_PREFIX"
 
   DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
+  DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
   DS_MAJOR_VERSION: 2
   DS_DISABLE_DIND: "true"
 

lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml

@@ -13,6 +13,7 @@ variables:
   SAST_ANALYZER_IMAGE_PREFIX: "$SECURE_ANALYZERS_PREFIX"
 
   SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, tslint, secrets, sobelow, pmd-apex, kubesec"
+  SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
   SAST_ANALYZER_IMAGE_TAG: 2
   SAST_DISABLE_DIND: "true"
   SCAN_KUBERNETES_MANIFESTS: "false"