Commit 91c7aa69 authored by Nick Gaskill's avatar Nick Gaskill

Merge branch 'add-custom-sast-ruleset-disablement-docs' into 'master'

doc: Update SAST Rulesets docs to include disablements

See merge request gitlab-org/gitlab!47847
parents 78ad646b ec0518bb
...@@ -111,6 +111,7 @@ as shown in the following table: ...@@ -111,6 +111,7 @@ as shown in the following table:
| [Interaction with Vulnerabilities](#interacting-with-the-vulnerabilities) | **{dotted-circle}** | **{check-circle}** | | [Interaction with Vulnerabilities](#interacting-with-the-vulnerabilities) | **{dotted-circle}** | **{check-circle}** |
| [Access to Security Dashboard](#security-dashboard) | **{dotted-circle}** | **{check-circle}** | | [Access to Security Dashboard](#security-dashboard) | **{dotted-circle}** | **{check-circle}** |
| [Configure SAST in the UI](#configure-sast-in-the-ui) | **{dotted-circle}** | **{check-circle}** | | [Configure SAST in the UI](#configure-sast-in-the-ui) | **{dotted-circle}** | **{check-circle}** |
| [Customize SAST Rulesets](#customize-rulesets) | **{dotted-circle}** | **{check-circle}** |
## Contribute your scanner ## Contribute your scanner
...@@ -205,15 +206,21 @@ spotbugs-sast: ...@@ -205,15 +206,21 @@ spotbugs-sast:
FAIL_NEVER: 1 FAIL_NEVER: 1
``` ```
### Custom rulesets **(ULTIMATE)** ### Customize rulesets **(ULTIMATE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/235382) in GitLab 13.5. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/235382) in GitLab 13.5.
You can customize the default scanning rules provided with SAST's NodeJS-Scan and Gosec analyzers. You can customize the default scanning rules provided by our SAST analyzers.
Customization allows you to exclude rules and modify the behavior of existing rules.
Ruleset customization supports two capabilities:
1. Disabling predefined rules
1. Modifying the default behavior of a given analyzer
These capabilities can be used simultaneously.
To customize the default scanning rules, create a file containing custom rules. These rules To customize the default scanning rules, create a file containing custom rules. These rules
are passed through to the analyzer's underlying scanner tool. are passed through to the analyzer's underlying scanner tools.
To create a custom ruleset: To create a custom ruleset:
...@@ -221,6 +228,25 @@ To create a custom ruleset: ...@@ -221,6 +228,25 @@ To create a custom ruleset:
1. Create a custom ruleset file named `sast-ruleset.toml` in the `.gitlab` directory. 1. Create a custom ruleset file named `sast-ruleset.toml` in the `.gitlab` directory.
1. In the `sast-ruleset.toml` file, do one of the following: 1. In the `sast-ruleset.toml` file, do one of the following:
- Disable predefined rules belonging to SAST analyzers. In this example, the disabled rules
belong to `eslint` and `sobelow` and have the corresponding identifiers `type` and `value`:
```toml
[eslint]
[[eslint.ruleset]]
disable = true
[eslint.ruleset.identifier]
type = "eslint_rule_id"
value = "security/detect-object-injection"
[sobelow]
[[sobelow.ruleset]]
disable = true
[sobelow.ruleset.identifier]
type = "sobelow_rule_id"
value = "sql_injection"
```
- Define a custom analyzer configuration. In this example, customized rules are defined for the - Define a custom analyzer configuration. In this example, customized rules are defined for the
`nodejs-scan` scanner: `nodejs-scan` scanner:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment