Skip to content

Default values for SAST_EXCLUDED_PATHS, DS_EXCLUDED_PATHS

Problem to solve

SAST and Dependency Scanning (DS) should exclude certain directories by default, like the the directories containing tests or vendored packages, so that users don't waste time setting that up. See vulnerability filters in SAST documentation and Dependency Scanning documentation.

Also, the list of excluded directories should be consistent with how projects compatible with SAST and DS are detected. Currently we might be in the odd situation where a directory that is ignored during detection is nevertheless scanned when the scan is triggered (because of some other file or directory).

Intended users

TODO

User experience goal

Proposal

Set default values for SAST_EXCLUDED_PATHS and DS_EXCLUDED_PATHS, in the CI configuration templates for SAST and Dependency Scanning, respectively.

Further details

Currently SAST_EXCLUDED_PATHS and DS_EXCLUDED_PATHS have no default values, and all directories are being scanned, including the ones that contain tests, specs, or vendored packages. This is inconsistent with project detection implemented in the search package of the common library. See the default values for SEARCH_IGNORED_DIRS:

var defaultIgnoredDirs = cli.StringSlice([]string{"bundle", "node_modules", "vendor", "tmp", "test", "tests"})

See SEARCH_IGNORE_HIDDEN_DIRS as well.

Permissions and Security

No change.

Documentation

To be documented in SAST and Dependency Scanning documentation.

Availability & Testing

To be tested during QA using the test projects and the downstream pipelines.

What does success look like, and how can we measure that?

Users usually don't have to set SAST_EXCLUDED_PATHS or DS_EXCLUDED_PATHS because the default values for these variables match their needs.

What is the type of buyer?

GitLab Ultimate

Is this a cross-stage feature?

Yes, this is relevant to SAST, Dependency Scanning, and Secret Detection scanners. These are maintained by groupstatic analysis and groupcomposition analysis.

Links / references

/cc @NicoleSchwartz @tmccaslin @twoodham @gonzoyumo @theoretick

Edited by Fabien Catteau