Merge branch 'julianthome/add-sast-estensions' into 'master'

Adding extensions (yml, yaml, properties) to SAST templates

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/180712



Merged-by: Brett Walker <bwalker@gitlab.com>
Approved-by: Tiger Watson <twatson@gitlab.com>
Approved-by: Meir Benayoun <mbenayoun@gitlab.com>
Approved-by: Brett Walker <bwalker@gitlab.com>
Reviewed-by: Meir Benayoun <mbenayoun@gitlab.com>
Co-authored-by: Julian Thome <jthome@gitlab.com>

ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb

@@ -63,6 +63,7 @@
             'Golang'               | { 'main.go' => '' }                                    | {}                                         | %w[semgrep-sast]
             'Groovy'               | { 'app.groovy' => '' }                                 | {}                                         | %w[spotbugs-sast]
             'Java'                 | { 'app.java' => '' }                                   | {}                                         | %w[semgrep-sast]
+            'Java properties'      | { 'app.properties' => '' }                             | {}                                         | %w[semgrep-sast]
             'Javascript'           | { 'app.js' => '' }                                     | {}                                         | %w[semgrep-sast]
             'JSX'                  | { 'app.jsx' => '' }                                    | {}                                         | %w[semgrep-sast]
             'Kotlin'               | { 'app.kt' => '' }                                     | {}                                         | %w[semgrep-sast]

ee/spec/lib/gitlab/ci/templates/sast_latest_gitlab_ci_yaml_spec.rb

@@ -97,6 +97,7 @@
             'Golang'               | { 'main.go' => '' }                             | {}                      | %w[semgrep-sast]
             'Groovy'               | { 'app.groovy' => '' }                          | {}                      | %w[spotbugs-sast]
             'Java'                 | { 'app.java' => '' }                            | {}                      | %w[semgrep-sast]
+            'Java properties'      | { 'app.properties' => '' }                      | {}                      | %w[semgrep-sast]
             'Javascript'           | { 'app.js' => '' }                              | {}                      | %w[semgrep-sast]
             'JSX'                  | { 'app.jsx' => '' }                             | {}                      | %w[semgrep-sast]
             'Kotlin'               | { 'app.kt' => '' }                              | {}                      | %w[semgrep-sast]

lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml

@@ -197,6 +197,15 @@ semgrep-sast:
         - '**/*.swift'
         - '**/*.m'
         - '**/*.kt'
+        - '**/*.properties'
+        - '**/application*.yml'
+        - '**/management*.yml'
+        - '**/actuator*.yml'
+        - '**/bootstrap*.yml'
+        - '**/application*.yaml'
+        - '**/management*.yaml'
+        - '**/actuator*.yaml'
+        - '**/bootstrap*.yaml'
     ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
@@ -230,6 +239,15 @@ semgrep-sast:
         - '**/*.m'
         - '**/*.rb'
         - '**/*.kt'
+        - '**/*.properties'
+        - '**/application*.yml'
+        - '**/management*.yml'
+        - '**/actuator*.yml'
+        - '**/bootstrap*.yml'
+        - '**/application*.yaml'
+        - '**/management*.yaml'
+        - '**/actuator*.yaml'
+        - '**/bootstrap*.yaml'
 
 sobelow-sast:
   extends: .sast-analyzer

lib/gitlab/ci/templates/Jobs/SAST.latest.gitlab-ci.yml

@@ -250,6 +250,15 @@ semgrep-sast:
         - '**/*.swift'
         - '**/*.m'
         - '**/*.kt'
+        - '**/*.properties'
+        - '**/application*.yml'
+        - '**/management*.yml'
+        - '**/actuator*.yml'
+        - '**/bootstrap*.yml'
+        - '**/application*.yaml'
+        - '**/management*.yaml'
+        - '**/actuator*.yaml'
+        - '**/bootstrap*.yaml'
     ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
     - if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
           $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
@@ -283,6 +292,15 @@ semgrep-sast:
         - '**/*.m'
         - '**/*.rb'
         - '**/*.kt'
+        - '**/*.properties'
+        - '**/application*.yml'
+        - '**/management*.yml'
+        - '**/actuator*.yml'
+        - '**/bootstrap*.yml'
+        - '**/application*.yaml'
+        - '**/management*.yaml'
+        - '**/actuator*.yaml'
+        - '**/bootstrap*.yaml'
     - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
       when: never
     # If there's no open merge request, add it to a *branch* pipeline instead.
@@ -308,6 +326,15 @@ semgrep-sast:
         - '**/*.swift'
         - '**/*.m'
         - '**/*.kt'
+        - '**/*.properties'
+        - '**/application*.yml'
+        - '**/management*.yml'
+        - '**/actuator*.yml'
+        - '**/bootstrap*.yml'
+        - '**/application*.yaml'
+        - '**/management*.yaml'
+        - '**/actuator*.yaml'
+        - '**/bootstrap*.yaml'
     ## In case gitlab-advanced-sast already covers all the files that semgrep-sast would have scanned
     - if: $CI_COMMIT_BRANCH &&
           $GITLAB_FEATURES =~ /\bsast_advanced\b/ &&
@@ -341,6 +368,15 @@ semgrep-sast:
         - '**/*.m'
         - '**/*.rb'
         - '**/*.kt'
+        - '**/*.properties'
+        - '**/application*.yml'
+        - '**/management*.yml'
+        - '**/actuator*.yml'
+        - '**/bootstrap*.yml'
+        - '**/application*.yaml'
+        - '**/management*.yaml'
+        - '**/actuator*.yaml'
+        - '**/bootstrap*.yaml'
 
 sobelow-sast:
   extends: .sast-analyzer