Commit 9eec6961 authored by Daniel Paul Searles's avatar Daniel Paul Searles

Make semgrep generally available

parent 32474423
---
title: Make semgrep generally available
merge_request: 61412
author:
type: changed
......@@ -517,8 +517,6 @@ removed, or promoted to regular features at any time.
Experimental features available are:
- Enable scanning of iOS and Android apps using the [MobSF analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/).
- Enable the [semgrep analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/).
- Semgrep may be inconsistent when reporting vulnerabilities found in minified JavaScript files.
#### Enable experimental features
......
......@@ -62,18 +62,18 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
'Java' | { 'app.java' => '' } | {} | %w(spotbugs-sast)
'Java with MobSF' | { 'app.java' => '' } | { 'SAST_EXPERIMENTAL_FEATURES' => 'true' } | %w(spotbugs-sast)
'Java without MobSF' | { 'AndroidManifest.xml' => '', 'a.java' => '' } | {} | %w(spotbugs-sast)
'Javascript' | { 'app.js' => '' } | {} | %w(eslint-sast)
'JSX' | { 'app.jsx' => '' } | {} | %w(eslint-sast)
'Javascript' | { 'app.js' => '' } | {} | %w(eslint-sast semgrep-sast)
'JSX' | { 'app.jsx' => '' } | {} | %w(eslint-sast semgrep-sast)
'Javascript Node' | { 'package.json' => '' } | {} | %w(nodejs-scan-sast)
'HTML' | { 'index.html' => '' } | {} | %w(eslint-sast)
'Kubernetes Manifests' | { 'Chart.yaml' => '' } | { 'SCAN_KUBERNETES_MANIFESTS' => 'true' } | %w(kubesec-sast)
'Multiple languages' | { 'app.java' => '', 'app.js' => '' } | {} | %w(eslint-sast spotbugs-sast)
'PHP' | { 'app.php' => '' } | {} | %w(phpcs-security-audit-sast)
'Python' | { 'app.py' => '' } | {} | %w(bandit-sast)
'Python' | { 'app.py' => '' } | {} | %w(bandit-sast semgrep-sast)
'Ruby' | { 'config/routes.rb' => '' } | {} | %w(brakeman-sast)
'Scala' | { 'app.scala' => '' } | {} | %w(spotbugs-sast)
'Typescript' | { 'app.ts' => '' } | {} | %w(eslint-sast)
'Typescript JSX' | { 'app.tsx' => '' } | {} | %w(eslint-sast)
'Typescript' | { 'app.ts' => '' } | {} | %w(eslint-sast semgrep-sast)
'Typescript JSX' | { 'app.tsx' => '' } | {} | %w(eslint-sast semgrep-sast)
'Visual Basic' | { 'app.vbproj' => '' } | {} | %w(security-code-scan-sast)
end
......
......@@ -287,8 +287,7 @@ semgrep-sast:
- if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /semgrep/ &&
$SAST_EXPERIMENTAL_FEATURES == 'true'
$SAST_DEFAULT_ANALYZERS =~ /semgrep/
exists:
- '**/*.py'
- '**/*.js'
......
......@@ -532,7 +532,7 @@ RSpec.describe Ci::CreatePipelineService do
it 'pull it from Auto-DevOps' do
pipeline = execute_service
expect(pipeline).to be_auto_devops_source
expect(pipeline.builds.map(&:name)).to match_array(%w[brakeman-sast build code_quality eslint-sast secret_detection_default_branch test])
expect(pipeline.builds.map(&:name)).to match_array(%w[brakeman-sast build code_quality eslint-sast secret_detection_default_branch semgrep-sast test])
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment