Merge branch '328066-semgrep-config-ui' into 'master'

Enable Semgrep analyzer in Configuration UI

See merge request gitlab-org/gitlab!60460

app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json

@@ -160,6 +160,13 @@
             "description": ".NET Core, .NET Framework",
             "variables": []
         },
+        {
+            "name": "semgrep",
+            "label": "Semgrep",
+            "enabled": true,
+            "description": "Multi-language scanning",
+            "variables": []
+        },
         {
             "name": "sobelow",
             "label": "Sobelow",

changelogs/unreleased/328066-semgrep-config-ui.yml

+---
+title: Add semgrep to SAST config UI
+merge_request: 60460
+author:
+type: added

lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml

@@ -292,7 +292,7 @@ semgrep-sast:
     # SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
     # override the analyzer image with a custom value. This may be subject to change or
     # breakage across GitLab releases.
-    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:latest"
+    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG"
   rules:
     - if: $SAST_DISABLED
       when: never

lib/security/ci_configuration/sast_build_action.rb

@@ -3,7 +3,7 @@
 module Security
   module CiConfiguration
     class SastBuildAction < BaseBuildAction
-      SAST_DEFAULT_ANALYZERS = 'bandit, brakeman, eslint, flawfinder, gosec, kubesec, nodejs-scan, phpcs-security-audit, pmd-apex, security-code-scan, sobelow, spotbugs'
+      SAST_DEFAULT_ANALYZERS = 'bandit, brakeman, eslint, flawfinder, gosec, kubesec, nodejs-scan, phpcs-security-audit, pmd-apex, security-code-scan, semgrep, sobelow, spotbugs'
 
       def initialize(auto_devops_enabled, params, existing_gitlab_ci_content)
         super(auto_devops_enabled, existing_gitlab_ci_content)