►
From YouTube: GitLab SAST Customize Rulesets Demo
Description
Backend Engineer Lucas Charles demonstrates the use of GitLab's Static Application Security Testing support for customizing pre-packaged security rulesets, using javascript and eslint security analyzer.
- GitLab SAST docs on customizing rulesets https://docs.gitlab.com/ee/user/application_security/sast/index.html#customize-rulesets
- Customizing Rulesets epic for upcoming capabilities https://gitlab.com/groups/gitlab-org/-/epics/4179
A
A
So
our
sas
documentation
here
outlines
both
how
to
set
up
sas
as
well
as
how
to
customize
it
for
your
individual
project.
Today
we
will
be
looking
at
customizing.
Rule
sets
right
here
now.
The
first
thing
here
will
be:
we
will
need
a
project,
so
let's
go
ahead
and
create
one:
let's
go
ahead
and
create
from
templates
on
gitlab.com
we're
going
to
choose
a
express
template
and
we
will
call
this
customized.
A
A
A
A
A
Now,
that's
a
good
enough
start,
and
once
this
authentication
works,
then
we
can
go
ahead
and
move
on
to
some
better
code.
Now,
let's
add
one
more
file
here,
we'll
add
the
gitlab
ci
yaml
and
go
back
to
the
documentation
now
for
setting
up
our
project,
we'll
hit
configuration
here.
We
see
this
here
and
we'll
go
ahead
and
copy
that
we
can
also
use
auto
devops
here,
but
in
this
case
we're
going
to
want
a
speedy
pipeline
to
demo.
So
we'll
stick
with
our
ci
configuration
so
just
to
review
our
changes.
A
A
A
A
Job
okay
looks
like
we're
successful:
let's
go
ahead
and
go
back
to
our
pipeline
view.
We
see
a
new
security
tab
here
and
it
looks
like
eslint
detected,
two
issues
unsafe
regular
expression
and
the
potential
timing
attack.
If
we
go
ahead
and
click
through
here,
we
can
see
these
here
line
four,
which
is
the
regex
we
added
and
for
the
potential
timing
attack
13
through
17.
Here
we're
doing
this
comparison.
A
Okay,
so
we
can
all
see.
This
is
a
low
severity
finding
here
and
a
high
one
for
the
regular
expression.
So
this
looks
like
a
pretty
serious
issue,
so
we
should
probably
deal
with
that
one.
We
don't
really
care
too
much
about
the
potential
timing
attack.
However,
so,
even
though
the
severity
is
low,
we
don't
want
to
even
see
this
one
show
up.
So
if
we
go
back
to
our
sas
configuration
here,
we
can
see
about
customizing.
Rule
sets
now
there's
a
couple
ways.
We
could
go
about
this
within
our
view.
A
A
And
let's
go
back
to
the
docs
and
see
what
they
say
so
rule
set
customization
supports
two
capabilities:
disabling
predefined
rules
and
modifying
the
behavior.
This
is
the
one
that
we're
going
to
be
dealing
with
today
so
to
create
a
custom
rule
set.
We
need
to
create
a
gitlab
directory
and
then
create
a
sas
real
estate
tamil
file
within
that
directory
and
then
paste
in
something
akin
to
the
following
and
tomml
format.
A
A
So
it
looks
like
in
this
example
we're
customizing
two
different
analyzers,
but
in
this
case
we
only
really
care
about
eslint.
So
let's
go
ahead
and
drop
that
reading.
Through
this
we
see
for
the
eslint
analyzer
for
this
specific
rule
set.
We
need
to
disable
it
and
to
disable.
We
need
to
know
how
to
identify
it.
So
we
need
to
look
at
this
identifier
here.
A
The
type
is
esl
rule
id
and
the
value
here
is
secret,
detect
object
injection,
so
let's
go
ahead
and
go
back
here
and
we
see
our
rule
id
for
this.
One
is
detect
possible
timing
attacks.
Let's
go
ahead
and
copy
that
paste.
That
in
here.
A
A
A
Vulnerability
now
we
could
also
modify
this
one
as
well.
In
the
future,
there
will
actually
be
a
capability
we're
working
on
in
order
to
customize
the
vulnerabilities.
So
if
we
look
at
our
gitlab
custom
rule
sets
epic.
A
In
this
case,
we
will
allow
setting
the
severity
directly
on
the
rule
set
in
the
case
of
something
like
predictable
random.
It
would
be
overriding
the
default
rule
severity
with
the
severity
of
low.
With
that
capability
upcoming.
We
will
be
able
to
modify
this,
and
if
we
consider
this
vulnerability
here
to
be
a
critical
or
even
low,
either
raising
or
hiring
that
severity,
then
we
can
actually
set
that
within
our
tamil
file
as
well,
and
that's
how
to
customize
rule
sets
using
gitlab
zest.
A
A
A
A
Eslint
now
it
looks
like
we
had
a
fail
here,
looks
like
there
is
an
invalid
syntax
in
our
tommel
configuration.
So
we
see
the
following
error:
duplicate
tables:
let's
go
ahead
and
look
back
again
what
we
did
here
now
with
tomml.
It
looks
like
we
are
trying
to
override
this
table
with
itself
here
and
redefine
it,
just
to
double
check
that
we
can
go
to
tomo
lintz
configuration
checker,
let's
go
ahead
and
throw
this
in
here
and
validate.