Merge branch 'add-SAST_EXCLUDED_ANALYZERS-docs' into 'master'

Add documentation for SAST_EXCLUDED_ANALYZERS

See merge request gitlab-org/gitlab!50995

doc/user/application_security/sast/analyzers.md

@@ -68,6 +68,10 @@ the official analyzers.
 
 ### Selecting specific analyzers
 
+WARNING:
+`SAST_DEFAULT_ANALYZERS` is [deprecated](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/50872) in GitLab 13.8,
+and is scheduled for [removal in GitLab 14.0](https://gitlab.com/gitlab-org/gitlab/-/issues/290777).
+
 You can select the official analyzers you want to run. Here's how to enable
 `bandit` and `flawfinder` while disabling all the other default ones.
 In `.gitlab-ci.yml` define:
@@ -83,9 +87,9 @@ variables:
 `bandit` runs first. When merging the reports, SAST
 removes the duplicates and keeps the `bandit` entries.
 
-### Disabling default analyzers
+### Disabling all default analyzers
 
-Setting `SAST_DEFAULT_ANALYZERS` to an empty string disables all the official
+Setting `SAST_DISABLED` to `true` disables all the official
 default analyzers. In `.gitlab-ci.yml` define:
 
 ```yaml
@@ -93,11 +97,25 @@ include:
   - template: Security/SAST.gitlab-ci.yml
 
 variables:
-  SAST_DEFAULT_ANALYZERS: ""
+  SAST_DISABLED: true
 ```
 
 That's needed when one totally relies on [custom analyzers](#custom-analyzers).
 
+### Disabling specific default analyzers
+
+Set `SAST_EXCLUDED_ANALYZERS` to a comma-delimited string that includes the official
+default analyzers that you want to avoid running. In `.gitlab-ci.yml` define the
+following to prevent the `eslint` analyzer from running:
+
+```yaml
+include:
+  - template: Security/SAST.gitlab-ci.yml
+
+variables:
+  SAST_EXCLUDED_ANALYZERS: "eslint"
+```
+
 ## Custom Analyzers
 
 You can provide your own analyzers by

doc/user/application_security/sast/index.md

@@ -431,7 +431,8 @@ The following are Docker image-related variables.
 |---------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
 | `SECURE_ANALYZERS_PREFIX` | Override the name of the Docker registry providing the default images (proxy). Read more about [customizing analyzers](analyzers.md). |
 | `SAST_ANALYZER_IMAGE_TAG` | **DEPRECATED:** Override the Docker tag of the default images. Read more about [customizing analyzers](analyzers.md).                 |
-| `SAST_DEFAULT_ANALYZERS`  | Override the names of default images. Read more about [customizing analyzers](analyzers.md).                                          |
+| `SAST_DEFAULT_ANALYZERS`  | **DEPRECATED:** Override the names of default images. Scheduled for [removal in GitLab 14.0](https://gitlab.com/gitlab-org/gitlab/-/issues/290777).                          |
+| `SAST_EXCLUDED_ANALYZERS` | Names of default images that should never run. Read more about [customizing analyzers](analyzers.md).                                 |
 
 #### Vulnerability filters