I am trying to use phpcs-security-audit
by including GitLab's SAST template. It generates a report as expected, but the report is filled with warnings from libraries and specific warnings that I would like to ignore for the report to be useful.
If I ran phpcs
and phpcs-security-audit
myself, I could store settings in a config file. Storing settings in .phpcs.xml
works locally, but has no effect on GitLab's phpcs-security-audit
analyzer. I can't find any documentation for it. Is it possible to configure the analyzer, and if so how?
Yes you can. It's simple, create directory .gitlab
, inside that create file called sast-ruleset.toml
. In the sast-ruleset.toml
, add this following code:
[phpcs-security-audit]
[[phpcs-security-audit.ruleset]]
disable = true
[phpcs-security-audit.ruleset.identifier]
type = "phpcs_security_audit_source"
value = "PHPCS_SecurityAudit.BadFunctions.FilesystemFunctions.WarnFilesystem"
value
is warning that you want to ignore, you can get the value in the Security Tab, go to the warning and select the Identifiers.
See the Gitlab documentation for more details.