Merge branch 'add-SAST_EXCLUDED_ANALYZERS-docs' into 'master'

Add documentation for SAST_EXCLUDED_ANALYZERS See merge request gitlab-org/gitlab!50995

Merge branch 'add-SAST_EXCLUDED_ANALYZERS-docs' into 'master'
Add documentation for SAST_EXCLUDED_ANALYZERS See merge request gitlab-org/gitlab!50995
58f468a0 · Suzanne Selhorn · 59814bbf · 0a65baaa · 58f468a0 · 58f468a0
Commit 58f468a0 authored Jan 14, 2021 by Suzanne Selhorn
Showing with 23 additions and 4 deletions

doc/user/application_security/sast/analyzers.md doc/user/application_security/sast/analyzers.md +21 -3

doc/user/application_security/sast/index.md doc/user/application_security/sast/index.md +2 -1

No files found.
--- a/doc/user/application_security/sast/analyzers.md
+++ b/doc/user/application_security/sast/analyzers.md
@@ -68,6 +68,10 @@ the official analyzers.

 ### Selecting specific analyzers

+WARNING:
+`SAST_DEFAULT_ANALYZERS` is [deprecated](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/50872) in GitLab 13.8,
+and is scheduled for [removal in GitLab 14.0](https://gitlab.com/gitlab-org/gitlab/-/issues/290777).
+
 You can select the official analyzers you want to run. Here's how to enable
 `bandit` and `flawfinder` while disabling all the other default ones.
 In `.gitlab-ci.yml` define:
@@ -83,9 +87,9 @@ variables:
 `bandit` runs first. When merging the reports, SAST
 removes the duplicates and keeps the `bandit` entries.

-### Disabling default analyzers
+### Disabling all default analyzers

-Setting `SAST_DEFAULT_ANALYZERS` to an empty string disables all the official
+Setting `SAST_DISABLED` to `true` disables all the official
 default analyzers. In `.gitlab-ci.yml` define:

 ```yaml
@@ -93,11 +97,25 @@ include:
  - template: Security/SAST.gitlab-ci.yml

 variables:
-  SAST_DEFAULT_ANALYZERS: ""
+  SAST_DISABLED: true
 ```

 That's needed when one totally relies on [custom analyzers](#custom-analyzers).

+### Disabling specific default analyzers
+
+Set `SAST_EXCLUDED_ANALYZERS` to a comma-delimited string that includes the official
+default analyzers that you want to avoid running. In `.gitlab-ci.yml` define the
+following to prevent the `eslint` analyzer from running:
+
+```yaml
+include:
+  - template: Security/SAST.gitlab-ci.yml
+
+variables:
+  SAST_EXCLUDED_ANALYZERS: "eslint"
+```
+
 ## Custom Analyzers

 You can provide your own analyzers by

--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -431,7 +431,8 @@ The following are Docker image-related variables.
 |---------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
 | `SECURE_ANALYZERS_PREFIX` | Override the name of the Docker registry providing the default images (proxy). Read more about [customizing analyzers](analyzers.md). |
 | `SAST_ANALYZER_IMAGE_TAG` | **DEPRECATED:** Override the Docker tag of the default images. Read more about [customizing analyzers](analyzers.md).                 |
-| `SAST_DEFAULT_ANALYZERS`  | Override the names of default images. Read more about [customizing analyzers](analyzers.md).                                          |
+| `SAST_DEFAULT_ANALYZERS`  | **DEPRECATED:** Override the names of default images. Scheduled for [removal in GitLab 14.0](https://gitlab.com/gitlab-org/gitlab/-/issues/290777).                          |
+| `SAST_EXCLUDED_ANALYZERS` | Names of default images that should never run. Read more about [customizing analyzers](analyzers.md).                                 |

 #### Vulnerability filters