Commit 1a9ccb74 authored by Bob Van Landuyt's avatar Bob Van Landuyt

Merge branch '220014-default-for-SAST_EXCLUDED_PATHS-DS_EXCLUDED_PATHS' into 'master'

Default for SAST_EXCLUDED_PATHS, DS_EXCLUDED_PATHS

Closes #220014

See merge request gitlab-org/gitlab!34076
parents 95b2dd8e 0649ea86
---
title: Set default values for SAST_EXCLUDED_PATHS and DS_EXCLUDED_PATHS
merge_request: 34076
author:
type: changed
...@@ -155,7 +155,7 @@ The following variables allow configuration of global dependency scanning settin ...@@ -155,7 +155,7 @@ The following variables allow configuration of global dependency scanning settin
| `DS_DEFAULT_ANALYZERS` | Override the names of the official default images. Read more about [customizing analyzers](analyzers.md). | | `DS_DEFAULT_ANALYZERS` | Override the names of the official default images. Read more about [customizing analyzers](analyzers.md). |
| `DS_DISABLE_DIND` | Disable Docker-in-Docker and run analyzers [individually](#enabling-docker-in-docker). This variable is `true` by default. | | `DS_DISABLE_DIND` | Disable Docker-in-Docker and run analyzers [individually](#enabling-docker-in-docker). This variable is `true` by default. |
| `ADDITIONAL_CA_CERT_BUNDLE` | Bundle of CA certs to trust. | | `ADDITIONAL_CA_CERT_BUNDLE` | Bundle of CA certs to trust. |
| `DS_EXCLUDED_PATHS` | Exclude vulnerabilities from output based on the paths. A comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec`). Parent directories also match patterns. | | `DS_EXCLUDED_PATHS` | Exclude vulnerabilities from output based on the paths. A comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec`). Parent directories also match patterns. Default: `"spec, test, tests, tmp"` |
#### Configuring Docker-in-Docker orchestrator #### Configuring Docker-in-Docker orchestrator
......
...@@ -288,7 +288,7 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre ...@@ -288,7 +288,7 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre
| Environment variable | Default value | Description | | Environment variable | Default value | Description |
|-------------------------|---------------|-------------| |-------------------------|---------------|-------------|
| `SAST_EXCLUDED_PATHS` | - | Exclude vulnerabilities from output based on the paths. This is a comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec` ). Parent directories will also match patterns. | | `SAST_EXCLUDED_PATHS` | `spec, test, tests, tmp` | Exclude vulnerabilities from output based on the paths. This is a comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec` ). Parent directories will also match patterns. |
| `SAST_BANDIT_EXCLUDED_PATHS` | - | comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*'` | | `SAST_BANDIT_EXCLUDED_PATHS` | - | comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*'` |
| `SAST_BRAKEMAN_LEVEL` | 1 | Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low 3=High. | | `SAST_BRAKEMAN_LEVEL` | 1 | Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low 3=High. |
| `SAST_FLAWFINDER_LEVEL` | 1 | Ignore Flawfinder vulnerabilities under given risk level. Integer, 0=No risk, 5=High risk. | | `SAST_FLAWFINDER_LEVEL` | 1 | Ignore Flawfinder vulnerabilities under given risk level. Integer, 0=No risk, 5=High risk. |
......
...@@ -13,6 +13,7 @@ variables: ...@@ -13,6 +13,7 @@ variables:
DS_ANALYZER_IMAGE_PREFIX: "$SECURE_ANALYZERS_PREFIX" DS_ANALYZER_IMAGE_PREFIX: "$SECURE_ANALYZERS_PREFIX"
DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python" DS_DEFAULT_ANALYZERS: "bundler-audit, retire.js, gemnasium, gemnasium-maven, gemnasium-python"
DS_EXCLUDED_PATHS: "spec, test, tests, tmp"
DS_MAJOR_VERSION: 2 DS_MAJOR_VERSION: 2
DS_DISABLE_DIND: "true" DS_DISABLE_DIND: "true"
......
...@@ -13,6 +13,7 @@ variables: ...@@ -13,6 +13,7 @@ variables:
SAST_ANALYZER_IMAGE_PREFIX: "$SECURE_ANALYZERS_PREFIX" SAST_ANALYZER_IMAGE_PREFIX: "$SECURE_ANALYZERS_PREFIX"
SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, tslint, secrets, sobelow, pmd-apex, kubesec" SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, tslint, secrets, sobelow, pmd-apex, kubesec"
SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
SAST_ANALYZER_IMAGE_TAG: 2 SAST_ANALYZER_IMAGE_TAG: 2
SAST_DISABLE_DIND: "true" SAST_DISABLE_DIND: "true"
SCAN_KUBERNETES_MANIFESTS: "false" SCAN_KUBERNETES_MANIFESTS: "false"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment