feat: add remote security scanning
Description
This MR adds a feature that will allow users to scan their code for security vulnerabilities using a new feature in gitlab-lsp
.
The following settings have been added:
-
gitlab.featureFlags.remoteSecurityScans
- passed to the language server to enable/disable responding totextDocument/didSave
notifications -
gitlab.securityScans.serviceUrl
- passed to the language server as the endpoint used (when the feature is enabled) to initiate a scan on save
The command gl.runSecurityScan
has also been added, primarily for testing. It sends a textDocument/didSave
notification for the current document, initiating a scan on demand.
Related Issues
- Add SAST scan feature to gitlab-lsp (gitlab#464097 - closed) • Jason Leasure • 17.4
- SAST Scanning in VS Code (gitlab#468473 - closed) • Erran Carey • Next 4-6 releases
For context
- the engineering epic: Static Analysis: real-time IDE SAST technical i... (&13753)
- the product epic: Scan for SAST findings as developers work in ID... (&10283)
How has this been tested?
The only testing has been ad-hoc with a local instance of the scanning service.
-
checkout
git clone -b add-lsp git@gitlab.com:gitlab-org/secure/sast-ide-integration.git cd sast-ide-integration ./scripts/setup.sh # to track branches git -C gitlab-lsp switch main git -C gitlab-vscode-extension switch sast-ide_add-lsp
-
start the service locally
./scripts/start-scanner-service.sh
-
Install or debug
./gitlab-vscode-extension
. -
Open a test project with the following settings
"gitlab.featureFlags.remoteSecurityScans": true, "gitlab.securityScans.serviceUrl": "http://localhost:8080/scan"
-
add a vulnerable file to the test project, e.g. a test file from the
sast-rules
projects like this one -
save the file or run the command
GitLab: Run Security Scan
to start a scan.
What CHANGELOG entry will this MR create?
-
fix:
Bug fix fixes - a user-facing issue in production - included in changelog -
feature:
New feature - a user-facing change which adds functionality - included in changelog -
BREAKING CHANGE:
(fix or feature that would cause existing functionality to change) - should bump major version, mentioned in the changelog -
None - other non-user-facing changes
Edited by Erran Carey