Add the option to skip AppSec SAST bot comments

8b36a1cb · Félix Veillette-Potvin · GitLab · 69c0bcb9 · 8b36a1cb · 8b36a1cb
--- a/scripts/semgrep_result_processor.rb
+++ b/scripts/semgrep_result_processor.rb
@@ -17,6 +17,7 @@ class SemgrepResultProcessor
    <small>
    This AppSec automation is currently under testing.
    Use ~"appsec-sast::helpful" or ~"appsec-sast::unhelpful" for quick feedback.
+    To stop the bot from further commenting, you can use the ~"appsec-sast::stop" label.
    For any detailed feedback, [add a comment here](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/sast-custom-rules/-/issues/38).
    </small>
@@ -30,6 +31,11 @@ def execute
    perform_allowlist_check
    semgrep_results = get_sast_results
    unique_results = filter_duplicate_findings(semgrep_results)
+    if sast_stop_label_present?
+      puts "Not adding comments for this MR as it has the appsec-sast::stop label. Here are the new unique findings that would have otherwise been posted: #{unique_results}"
+      return
+    end
    create_inline_comments(unique_results)
  rescue StandardError => e
@@ -141,6 +147,11 @@ def create_inline_comments(path_line_message_dict)
    end
  end
+  def sast_stop_label_present?
+    labels = ENV['CI_MERGE_REQUEST_LABELS'] || ""
+    labels.split(',').map(&:strip).include?('appsec-sast::stop')
+  end
  private
  def get_existing_comments

--- a/spec/scripts/semgrep_result_processor_spec.rb
+++ b/spec/scripts/semgrep_result_processor_spec.rb
@@ -53,6 +53,50 @@
      expect { processor.execute }.to raise_error(SystemExit)
    end
+    context 'when CI_MERGE_REQUEST_LABELS includes appsec-sast::stop' do
+      it "prints the 'not adding comments' message" do
+        stub_env('CI_MERGE_REQUEST_LABELS', 'appsec-sast::stop')
+        expect(processor).to receive(:perform_allowlist_check)
+        expect(processor).to receive(:get_sast_results)
+        expect(processor).to receive(:filter_duplicate_findings).with(sample_results)
+        expect do
+          processor.execute
+        end.to output(/Not adding comments for this MR as it has the appsec-sast::stop label/).to_stdout
+      end
+    end
+  end
+  describe '#sast_stop_label_present?' do
+    context 'when CI_MERGE_REQUEST_LABELS includes appsec-sast::stop' do
+      it 'returns true' do
+        stub_env('CI_MERGE_REQUEST_LABELS', 'appsec-sast::stop, other-label')
+        expect(processor.sast_stop_label_present?).to be true
+      end
+    end
+    context 'when CI_MERGE_REQUEST_LABELS does not include appsec-sast::stop' do
+      it 'returns false' do
+        stub_env('CI_MERGE_REQUEST_LABELS', 'another-label, different-label')
+        expect(processor.sast_stop_label_present?).to be false
+      end
+    end
+    context 'when CI_MERGE_REQUEST_LABELS is empty' do
+      it 'returns false' do
+        stub_env('CI_MERGE_REQUEST_LABELS', '')
+        expect(processor.sast_stop_label_present?).to be false
+      end
+    end
+    context 'when CI_MERGE_REQUEST_LABELS is nil' do
+      it 'returns false' do
+        stub_env('CI_MERGE_REQUEST_LABELS', nil)
+        expect(processor.sast_stop_label_present?).to be false
+      end
+    end
  end
  describe '#perform_allowlist_check' do