SAST & Secret-Detection Custom Rules - Modifying Pre-existing Rules - Overriding Properties
Problem to solve
To complete Custom Rulesets for SAST Analyzers we should provide the ability to modify specific rules for our individual Category:SAST and Category:Secret Detection analyzers, allowing overrides of properties.
Intended users
User experience goal
Better data quality for users in better aligning rule properties with organization expectations.
Proposal
- Update SAST rules configuration file specification to allow individual rules values to be overridden; i.e.
severity = High
. These rules must match the primary identifier as defined by a given analyzer (PerhapsValue
?)- Allowlist of override-able attributes:
name
,message
,description
,severity
,confidence
- Allowlist of override-able attributes:
- Validate supported override values
- Update
analyzers/command/run.go
to override any returned findings with values specified in configuration file
Update analyzers to enable modifying preexisting rules
-
brakeman -
phpcs-security-audit -
security-code-scan -
bandit -
eslint -
mobSF -
flawfinder -
gosec -
sobelow -
semgrep -
kubesec -
kics -
nodejs-scan -
secrets -
pmd-apex -
spotbugs
Example
[spotbugs]
[[spotbugs.ruleset]]
# Properties I'm overriding below
severity = "Low"
description = "Predictable random number generator detected, but I don't really care because this is a PoC to demonstrate crackable password hashes"
# Filter on identifier
[spotbugs.ruleset.identifier]
type = "find_sec_bugs_type" # not needed but for readability
value = "PREDICTABLE_RANDOM"
Further details
Permissions and Security
No change to permissions
Documentation
- Document functionality within Static Application Security Testing docs
- Document functionality within Secret Detection Testing docs
Availability & Testing
- Add test ensuring overridden rule generates findings matching the override value
What does success look like, and how can we measure that?
Rules can be disabled if considered insignificant to users
What is the type of buyer?
Is this a cross-stage feature?
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.