Skip to content

Enforced Scan Execution can be circumvented by "SAST_EXCLUDED_ANALYZERS" variable

Summary

When we enforce scan execution, Owner or Maintainer users can disable the scanning by setting SAST_EXCLUDED_ANALYZERS variable. Variable can be set inside the yaml file or under CI/CD settings.

Steps to reproduce

  • Configure the Scan execution policies
name: test
description: ''
enabled: true
actions:
- scan: sast
  tags: []
rules:
- type: pipeline
  branch_type: all
  • Run pipeline → Confirmed that SAST worked.
  • Set SAST_EXCLUDED_ANALYZERS that value is brakeman
  • Run pipeline → No SAST job ran

Example Project

https://gitlab.com/gitlab-gold/anagayama/zd430704

What is the current bug behavior?

Enforced scan execution can be disabled by a variable.

What is the expected correct behavior?

Enforced scan execution shouldn't be able to disabled by a variable.

Relevant logs and/or screenshots

Screenshot_2023-08-02_at_15.14.13

Screenshot_2023-08-02_at_15.14.23

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

  • backend disallow using additional variables:
diff --git a/ee/app/services/security/security_orchestration_policies/ci_configuration_service.rb b/ee/app/services/security/security_orchestration_policies/ci_configuration_service.rb
index d075a4d9c9c4..9effa1ccc75c 100644
--- a/ee/app/services/security/security_orchestration_policies/ci_configuration_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/ci_configuration_service.rb
@@ -81,7 +81,9 @@ def remove_extends!(job_configuration)
       end
 
       def remove_rule_to_disable_job!(job_configuration)
-        job_configuration[:rules]&.reject! { |rule| rule[:if]&.include?('_DISABLED') }
+        job_configuration[:rules]&.reject! do |rule|
+          rule[:if]&.include?('_DISABLED') || rule[:if]&.include?('_EXCLUDED_ANALYZERS') || rule[:if]&.include?('_EXCLUDED_PATHS')
+        end
       end
     end
   end
Edited by Alan (Maciej) Paruszewski