Skip to content

G
gitlab-ce
Commit 6330a060 authored by Stan Hu's avatar Stan Hu
Browse files
Options

Merge branch 'semgrep-ga' into 'master' 

Make semgrep generally available

See merge request gitlab-org/gitlab!61412
parents c3ad66b0 9eec6961
Hide whitespace changes
Inline Side-by-side
Showing with 12 additions and 10 deletions
changelogs/unreleased/semgrep-ga.yml 0 → 100644
View file @ 6330a060
---
title: Make semgrep generally available
merge_request: 61412
author:
type: changed
doc/user/application_security/sast/index.md
View file @ 6330a060
......@@ -517,8 +517,6 @@ removed, or promoted to regular features at any time.
Experimental features available are:
- Enable scanning of iOS and Android apps using the [MobSF analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/).
- Enable the [semgrep analyzer](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/).
- Semgrep may be inconsistent when reporting vulnerabilities found in minified JavaScript files.
#### Enable experimental features
......
ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
View file @ 6330a060
......@@ -64,18 +64,18 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
'Java' | { 'app.java' => '' } | {} | %w(spotbugs-sast)
'Java with MobSF' | { 'app.java' => '' } | { 'SAST_EXPERIMENTAL_FEATURES' => 'true' } | %w(spotbugs-sast)
'Java without MobSF' | { 'AndroidManifest.xml' => '', 'a.java' => '' } | {} | %w(spotbugs-sast)
'Javascript' | { 'app.js' => '' } | {} | %w(eslint-sast)
'JSX' | { 'app.jsx' => '' } | {} | %w(eslint-sast)
'Javascript' | { 'app.js' => '' } | {} | %w(eslint-sast semgrep-sast)
'JSX' | { 'app.jsx' => '' } | {} | %w(eslint-sast semgrep-sast)
'Javascript Node' | { 'package.json' => '' } | {} | %w(nodejs-scan-sast)
'HTML' | { 'index.html' => '' } | {} | %w(eslint-sast)
'Kubernetes Manifests' | { 'Chart.yaml' => '' } | { 'SCAN_KUBERNETES_MANIFESTS' => 'true' } | %w(kubesec-sast)
'Multiple languages' | { 'app.java' => '', 'app.js' => '' } | {} | %w(eslint-sast spotbugs-sast)
'PHP' | { 'app.php' => '' } | {} | %w(phpcs-security-audit-sast)
'Python' | { 'app.py' => '' } | {} | %w(bandit-sast)
'Python' | { 'app.py' => '' } | {} | %w(bandit-sast semgrep-sast)
'Ruby' | { 'config/routes.rb' => '' } | {} | %w(brakeman-sast)
'Scala' | { 'app.scala' => '' } | {} | %w(spotbugs-sast)
'Typescript' | { 'app.ts' => '' } | {} | %w(eslint-sast)
'Typescript JSX' | { 'app.tsx' => '' } | {} | %w(eslint-sast)
'Typescript' | { 'app.ts' => '' } | {} | %w(eslint-sast semgrep-sast)
'Typescript JSX' | { 'app.tsx' => '' } | {} | %w(eslint-sast semgrep-sast)
'Visual Basic' | { 'app.vbproj' => '' } | {} | %w(security-code-scan-sast)
end
......
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
View file @ 6330a060
......@@ -287,8 +287,7 @@ semgrep-sast:
- if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /semgrep/ &&
$SAST_EXPERIMENTAL_FEATURES == 'true'
$SAST_DEFAULT_ANALYZERS =~ /semgrep/
exists:
- '**/*.py'
- '**/*.js'
......
spec/services/ci/create_pipeline_service_spec.rb
View file @ 6330a060
......@@ -532,7 +532,7 @@ RSpec.describe Ci::CreatePipelineService do
it 'pull it from Auto-DevOps' do
pipeline = execute_service
expect(pipeline).to be_auto_devops_source
expect(pipeline.builds.map(&:name)).to match_array(%w[brakeman-sast build code_quality eslint-sast secret_detection_default_branch test])
expect(pipeline.builds.map(&:name)).to match_array(%w[brakeman-sast build code_quality eslint-sast secret_detection_default_branch semgrep-sast test])
end
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7