Commit 58f468a0 authored by Suzanne Selhorn's avatar Suzanne Selhorn

Merge branch 'add-SAST_EXCLUDED_ANALYZERS-docs' into 'master'

Add documentation for SAST_EXCLUDED_ANALYZERS

See merge request gitlab-org/gitlab!50995
parents 59814bbf 0a65baaa
......@@ -68,6 +68,10 @@ the official analyzers.
### Selecting specific analyzers
WARNING:
`SAST_DEFAULT_ANALYZERS` is [deprecated](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/50872) in GitLab 13.8,
and is scheduled for [removal in GitLab 14.0](https://gitlab.com/gitlab-org/gitlab/-/issues/290777).
You can select the official analyzers you want to run. Here's how to enable
`bandit` and `flawfinder` while disabling all the other default ones.
In `.gitlab-ci.yml` define:
......@@ -83,9 +87,9 @@ variables:
`bandit` runs first. When merging the reports, SAST
removes the duplicates and keeps the `bandit` entries.
### Disabling default analyzers
### Disabling all default analyzers
Setting `SAST_DEFAULT_ANALYZERS` to an empty string disables all the official
Setting `SAST_DISABLED` to `true` disables all the official
default analyzers. In `.gitlab-ci.yml` define:
```yaml
......@@ -93,11 +97,25 @@ include:
- template: Security/SAST.gitlab-ci.yml
variables:
SAST_DEFAULT_ANALYZERS: ""
SAST_DISABLED: true
```
That's needed when one totally relies on [custom analyzers](#custom-analyzers).
### Disabling specific default analyzers
Set `SAST_EXCLUDED_ANALYZERS` to a comma-delimited string that includes the official
default analyzers that you want to avoid running. In `.gitlab-ci.yml` define the
following to prevent the `eslint` analyzer from running:
```yaml
include:
- template: Security/SAST.gitlab-ci.yml
variables:
SAST_EXCLUDED_ANALYZERS: "eslint"
```
## Custom Analyzers
You can provide your own analyzers by
......
......@@ -431,7 +431,8 @@ The following are Docker image-related variables.
|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------|
| `SECURE_ANALYZERS_PREFIX` | Override the name of the Docker registry providing the default images (proxy). Read more about [customizing analyzers](analyzers.md). |
| `SAST_ANALYZER_IMAGE_TAG` | **DEPRECATED:** Override the Docker tag of the default images. Read more about [customizing analyzers](analyzers.md). |
| `SAST_DEFAULT_ANALYZERS` | Override the names of default images. Read more about [customizing analyzers](analyzers.md). |
| `SAST_DEFAULT_ANALYZERS` | **DEPRECATED:** Override the names of default images. Scheduled for [removal in GitLab 14.0](https://gitlab.com/gitlab-org/gitlab/-/issues/290777). |
| `SAST_EXCLUDED_ANALYZERS` | Names of default images that should never run. Read more about [customizing analyzers](analyzers.md). |
#### Vulnerability filters
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment