Prevent analyzers from being excluded in scan execution pipelines (!130082) · Merge requests · GitLab.org / GitLab

Martin Čavoj requested to merge 420700-enforced-scan-execution-can-be-circumvented-by-sast_excluded_analyzers-variable into master Aug 23, 2023

What does this MR do and why?

This MR fixes an oversight where it was possible to exclude certain analyzers from being run in scan execution pipelines.

Screenshots or screen recordings

Before	After

How to set up and validate locally

Add .gitlab-ci.yml:

build-job:
  stage: build
  script:
  - echo "Compiling the code..."
  - echo "Compile complete."
include:
- template: Security/SAST.gitlab-ci.yml

Add run_os_script.rb file into the project:

class Generic
  def run_on_system
    system("ls")
  end
end

Go to Secure -> Policies and create a new Scan Execution policy

name: SAST
description: ''
enabled: true
actions:
- scan: sast
rules:
- type: pipeline
  branches:
  - "*"

Go to Settings -> CI/CD -> Variables and add a new variable:
Go to Pipelines and run a new pipeline for the main branch
Verify that brakeman-sast-0 job is still present in the pipeline

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #420700 (closed)

Edited Aug 23, 2023 by Martin Čavoj

Prevent analyzers from being excluded in scan execution pipelines

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports