diff options
Diffstat (limited to 'doc/user/application_security/sast/customize_rulesets.md')
-rw-r--r-- | doc/user/application_security/sast/customize_rulesets.md | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/doc/user/application_security/sast/customize_rulesets.md b/doc/user/application_security/sast/customize_rulesets.md index d070883df9a..ddf8db4e489 100644 --- a/doc/user/application_security/sast/customize_rulesets.md +++ b/doc/user/application_security/sast/customize_rulesets.md @@ -23,12 +23,18 @@ repository being scanned. There are two kinds of customization: ## Disable predefined rules -You can disable predefined rules for any SAST analyzer. Disabled rules don't appear -on the [Pipeline Security](../index.md#view-security-scan-information-in-the-pipeline-security-tab) -tab or the [Vulnerability Report](../index.md#view-security-scan-information-in-the-vulnerability-report). +You can disable predefined rules for any SAST analyzer. -Disabling rules has a retroactive effect. The analyzer continues to scan for the -vulnerability, but findings are omitted from the [`gl-sast-report.json` artifact](index.md#reports-json-format). +When you disable a rule: + +- Most analyzers still scan for the vulnerability. The results are removed as a processing step after the scan completes, and they don't appear in the [`gl-sast-report.json` artifact](index.md#reports-json-format). +- Findings for the disabled rule no longer appear in the [Pipeline Security tab](../index.md#view-security-scan-information-in-the-pipeline-security-tab). +- Existing findings for the disabled rule on the default branch are marked ["No longer detected"](../vulnerability_report/index.md#activity-filter) in the [Vulnerability Report](../index.md#view-security-scan-information-in-the-vulnerability-report). + +The Semgrep-based analyzer handles disabled rules differently: + +- To improve performance, the Semgrep-based analyzer doesn't scan for disabled rules at all. +- If you disable a rule in the Semgrep-based analyzer, existing vulnerability findings for that rule are [automatically resolved](index.md#automatic-vulnerability-resolution) after you merge the `sast-ruleset.toml` file to the default branch. See the [Schema](#schema) and [Examples](#examples) sections for information on how to configure this behavior. @@ -323,7 +329,7 @@ With the following custom ruleset configuration, vulnerabilities found with [semgrep] [[semgrep.ruleset]] [semgrep.ruleset.identifier] - type = "CWE" + type = "cwe" value = "322" [semgrep.ruleset.override] severity = "Critical" |