Migrate from SAST_DEFAULT_ANALYZERS to SAST_EXCLUDED_ANALYZERS
Problem to solve
Right now, if you want to avoid running one particular SAST analyzer, you need to remove it from the long string of analyzers found here and use that to set the SAST_DEFAULT_ANALYZERS
somewhere in your project's CI template. And, if you do this, it excludes you from future new analyzers. This gotcha is not obvious.
User experience goal
It should be easier for a user to avoid running a particular analyzer without the risk of losing out on getting to use newly added analyzers.
Proposal
We could add a SAST_EXCLUDED_ANALYZERS
variable which would define the analyzers that the user wants to avoid running.
Proposed Removal in %14.0
Implementation plan
Phase I (to be done with this issue)
- update SAST vendored template to add backward compatible support for SAST_EXCLUDED_ANALYZERS
- deprecation notice for SAST_DEFAULT_ANALYZERS
- update documentation to add SAST_EXCLUDED_ANALYZERS
- SAST Config UI update to support both variables - should not require frontend changes, and only impact on customers should be removal of SAST_DEFAULT_ANALYZERS and addition of SAST_EXCLUDED_ANALYZERS in their .gitlab-ci.yml
Phase II (to be done in follow-up issue)
- update SAST vendored template to remove support for SAST_DEFAULT_ANALYZERS and break backward compatible
- update QA to not rely on SAST_DEFAULT_ANALYZERS (CI configuration of the analyzer projects, shared CI config)
- SAST Config UI update to support SAST_EXCLUDED_ANALYZERS only and ignore SAST_DEFAULT_ANALYZERS
- update documentation
Further details
Take a look at this Merge Request for a proof of concept.
Limitations
The current proposal would only work with Docker in Docker disabled, which is currently the default and will be the only way to run SAST in the near future.
Docker in Docker is no longer supported, so the above is no longer a problem.
Risks
Removing/renaming SAST_DEFAULT_ANALYZERS
could have unintended consequences. Removing it would break QA is it works right now.
Documentation
Release notes
Draft release post notes