Commit 6330a060 authored by Stan Hu's avatar Stan Hu

Merge branch 'semgrep-ga' into 'master'

Make semgrep generally available

See merge request gitlab-org/gitlab!61412
parents c3ad66b0 9eec6961
---
title: Make semgrep generally available
merge_request: 61412
author:
type: changed
...@@ -517,8 +517,6 @@ removed, or promoted to regular features at any time. ...@@ -517,8 +517,6 @@ removed, or promoted to regular features at any time.
Experimental features available are: Experimental features available are:
- Enable scanning of iOS and Android apps using the [MobSF analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/). - Enable scanning of iOS and Android apps using the [MobSF analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/).
- Enable the [semgrep analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/).
- Semgrep may be inconsistent when reporting vulnerabilities found in minified JavaScript files.
#### Enable experimental features #### Enable experimental features
......
...@@ -64,18 +64,18 @@ RSpec.describe 'SAST.gitlab-ci.yml' do ...@@ -64,18 +64,18 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
'Java' | { 'app.java' => '' } | {} | %w(spotbugs-sast) 'Java' | { 'app.java' => '' } | {} | %w(spotbugs-sast)
'Java with MobSF' | { 'app.java' => '' } | { 'SAST_EXPERIMENTAL_FEATURES' => 'true' } | %w(spotbugs-sast) 'Java with MobSF' | { 'app.java' => '' } | { 'SAST_EXPERIMENTAL_FEATURES' => 'true' } | %w(spotbugs-sast)
'Java without MobSF' | { 'AndroidManifest.xml' => '', 'a.java' => '' } | {} | %w(spotbugs-sast) 'Java without MobSF' | { 'AndroidManifest.xml' => '', 'a.java' => '' } | {} | %w(spotbugs-sast)
'Javascript' | { 'app.js' => '' } | {} | %w(eslint-sast) 'Javascript' | { 'app.js' => '' } | {} | %w(eslint-sast semgrep-sast)
'JSX' | { 'app.jsx' => '' } | {} | %w(eslint-sast) 'JSX' | { 'app.jsx' => '' } | {} | %w(eslint-sast semgrep-sast)
'Javascript Node' | { 'package.json' => '' } | {} | %w(nodejs-scan-sast) 'Javascript Node' | { 'package.json' => '' } | {} | %w(nodejs-scan-sast)
'HTML' | { 'index.html' => '' } | {} | %w(eslint-sast) 'HTML' | { 'index.html' => '' } | {} | %w(eslint-sast)
'Kubernetes Manifests' | { 'Chart.yaml' => '' } | { 'SCAN_KUBERNETES_MANIFESTS' => 'true' } | %w(kubesec-sast) 'Kubernetes Manifests' | { 'Chart.yaml' => '' } | { 'SCAN_KUBERNETES_MANIFESTS' => 'true' } | %w(kubesec-sast)
'Multiple languages' | { 'app.java' => '', 'app.js' => '' } | {} | %w(eslint-sast spotbugs-sast) 'Multiple languages' | { 'app.java' => '', 'app.js' => '' } | {} | %w(eslint-sast spotbugs-sast)
'PHP' | { 'app.php' => '' } | {} | %w(phpcs-security-audit-sast) 'PHP' | { 'app.php' => '' } | {} | %w(phpcs-security-audit-sast)
'Python' | { 'app.py' => '' } | {} | %w(bandit-sast) 'Python' | { 'app.py' => '' } | {} | %w(bandit-sast semgrep-sast)
'Ruby' | { 'config/routes.rb' => '' } | {} | %w(brakeman-sast) 'Ruby' | { 'config/routes.rb' => '' } | {} | %w(brakeman-sast)
'Scala' | { 'app.scala' => '' } | {} | %w(spotbugs-sast) 'Scala' | { 'app.scala' => '' } | {} | %w(spotbugs-sast)
'Typescript' | { 'app.ts' => '' } | {} | %w(eslint-sast) 'Typescript' | { 'app.ts' => '' } | {} | %w(eslint-sast semgrep-sast)
'Typescript JSX' | { 'app.tsx' => '' } | {} | %w(eslint-sast) 'Typescript JSX' | { 'app.tsx' => '' } | {} | %w(eslint-sast semgrep-sast)
'Visual Basic' | { 'app.vbproj' => '' } | {} | %w(security-code-scan-sast) 'Visual Basic' | { 'app.vbproj' => '' } | {} | %w(security-code-scan-sast)
end end
......
...@@ -287,8 +287,7 @@ semgrep-sast: ...@@ -287,8 +287,7 @@ semgrep-sast:
- if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/ - if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/
when: never when: never
- if: $CI_COMMIT_BRANCH && - if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /semgrep/ && $SAST_DEFAULT_ANALYZERS =~ /semgrep/
$SAST_EXPERIMENTAL_FEATURES == 'true'
exists: exists:
- '**/*.py' - '**/*.py'
- '**/*.js' - '**/*.js'
......
...@@ -532,7 +532,7 @@ RSpec.describe Ci::CreatePipelineService do ...@@ -532,7 +532,7 @@ RSpec.describe Ci::CreatePipelineService do
it 'pull it from Auto-DevOps' do it 'pull it from Auto-DevOps' do
pipeline = execute_service pipeline = execute_service
expect(pipeline).to be_auto_devops_source expect(pipeline).to be_auto_devops_source
expect(pipeline.builds.map(&:name)).to match_array(%w[brakeman-sast build code_quality eslint-sast secret_detection_default_branch test]) expect(pipeline.builds.map(&:name)).to match_array(%w[brakeman-sast build code_quality eslint-sast secret_detection_default_branch semgrep-sast test])
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment