Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
9eec6961
Commit
9eec6961
authored
May 10, 2021
by
Daniel Paul Searles
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Make semgrep generally available
parent
32474423
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
12 additions
and
10 deletions
+12
-10
changelogs/unreleased/semgrep-ga.yml
changelogs/unreleased/semgrep-ga.yml
+5
-0
doc/user/application_security/sast/index.md
doc/user/application_security/sast/index.md
+0
-2
ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
+5
-5
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
+1
-2
spec/services/ci/create_pipeline_service_spec.rb
spec/services/ci/create_pipeline_service_spec.rb
+1
-1
No files found.
changelogs/unreleased/semgrep-ga.yml
0 → 100644
View file @
9eec6961
---
title
:
Make semgrep generally available
merge_request
:
61412
author
:
type
:
changed
doc/user/application_security/sast/index.md
View file @
9eec6961
...
...
@@ -517,8 +517,6 @@ removed, or promoted to regular features at any time.
Experimental features available are:
-
Enable scanning of iOS and Android apps using the
[
MobSF analyzer
](
https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/
)
.
-
Enable the
[
semgrep analyzer
](
https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/
)
.
-
Semgrep may be inconsistent when reporting vulnerabilities found in minified JavaScript files.
#### Enable experimental features
...
...
ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
View file @
9eec6961
...
...
@@ -62,18 +62,18 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
'Java'
|
{
'app.java'
=>
''
}
|
{}
|
%w(spotbugs-sast)
'Java with MobSF'
|
{
'app.java'
=>
''
}
|
{
'SAST_EXPERIMENTAL_FEATURES'
=>
'true'
}
|
%w(spotbugs-sast)
'Java without MobSF'
|
{
'AndroidManifest.xml'
=>
''
,
'a.java'
=>
''
}
|
{}
|
%w(spotbugs-sast)
'Javascript'
|
{
'app.js'
=>
''
}
|
{}
|
%w(eslint-sast)
'JSX'
|
{
'app.jsx'
=>
''
}
|
{}
|
%w(eslint-sast)
'Javascript'
|
{
'app.js'
=>
''
}
|
{}
|
%w(eslint-sast
semgrep-sast
)
'JSX'
|
{
'app.jsx'
=>
''
}
|
{}
|
%w(eslint-sast
semgrep-sast
)
'Javascript Node'
|
{
'package.json'
=>
''
}
|
{}
|
%w(nodejs-scan-sast)
'HTML'
|
{
'index.html'
=>
''
}
|
{}
|
%w(eslint-sast)
'Kubernetes Manifests'
|
{
'Chart.yaml'
=>
''
}
|
{
'SCAN_KUBERNETES_MANIFESTS'
=>
'true'
}
|
%w(kubesec-sast)
'Multiple languages'
|
{
'app.java'
=>
''
,
'app.js'
=>
''
}
|
{}
|
%w(eslint-sast spotbugs-sast)
'PHP'
|
{
'app.php'
=>
''
}
|
{}
|
%w(phpcs-security-audit-sast)
'Python'
|
{
'app.py'
=>
''
}
|
{}
|
%w(bandit-sast)
'Python'
|
{
'app.py'
=>
''
}
|
{}
|
%w(bandit-sast
semgrep-sast
)
'Ruby'
|
{
'config/routes.rb'
=>
''
}
|
{}
|
%w(brakeman-sast)
'Scala'
|
{
'app.scala'
=>
''
}
|
{}
|
%w(spotbugs-sast)
'Typescript'
|
{
'app.ts'
=>
''
}
|
{}
|
%w(eslint-sast)
'Typescript JSX'
|
{
'app.tsx'
=>
''
}
|
{}
|
%w(eslint-sast)
'Typescript'
|
{
'app.ts'
=>
''
}
|
{}
|
%w(eslint-sast
semgrep-sast
)
'Typescript JSX'
|
{
'app.tsx'
=>
''
}
|
{}
|
%w(eslint-sast
semgrep-sast
)
'Visual Basic'
|
{
'app.vbproj'
=>
''
}
|
{}
|
%w(security-code-scan-sast)
end
...
...
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
View file @
9eec6961
...
...
@@ -287,8 +287,7 @@ semgrep-sast:
-
if
:
$SAST_EXCLUDED_ANALYZERS =~ /semgrep/
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /semgrep/ &&
$SAST_EXPERIMENTAL_FEATURES == 'true'
$SAST_DEFAULT_ANALYZERS =~ /semgrep/
exists
:
-
'
**/*.py'
-
'
**/*.js'
...
...
spec/services/ci/create_pipeline_service_spec.rb
View file @
9eec6961
...
...
@@ -532,7 +532,7 @@ RSpec.describe Ci::CreatePipelineService do
it
'pull it from Auto-DevOps'
do
pipeline
=
execute_service
expect
(
pipeline
).
to
be_auto_devops_source
expect
(
pipeline
.
builds
.
map
(
&
:name
)).
to
match_array
(
%w[brakeman-sast build code_quality eslint-sast secret_detection_default_branch test]
)
expect
(
pipeline
.
builds
.
map
(
&
:name
)).
to
match_array
(
%w[brakeman-sast build code_quality eslint-sast secret_detection_default_branch
semgrep-sast
test]
)
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment