Add support for disabling predefined rules via custom rulesets
What does this MR do?
This merge request updates the convert
function to ensure that rules disabled in the ruleset are not included in the SAST report. This change addresses an inconsistency in our documentation and implementation.
Background
In our documentation (https://docs.gitlab.com/ee/user/application_security/sast/customize_rulesets.html#disable-predefined-rules), we stated that all SAST analyzers support the "Disable Predefined Rules" feature. However, it was discovered that this particular analyzer did not adhere to this statement.
Changes
- Move
elixir-phoenix
fixture toelixir-phoenix/default
- Introduce a new fixture
elixir-phoenix/with-rules-disabled
which introduces a.gitlab/sast-rules.toml
- Add integration spec to test that rules are disabled
- Updated the
convert
function to exclude rules that are disabled in the ruleset from the final SAST report.
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests updated/added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Craig Smith