phpgitlabgitlab-ciphpcssast

How to configure GitLab's phpcs-security-audit analyzer?


I am trying to use phpcs-security-audit by including GitLab's SAST template. It generates a report as expected, but the report is filled with warnings from libraries and specific warnings that I would like to ignore for the report to be useful.

If I ran phpcs and phpcs-security-audit myself, I could store settings in a config file. Storing settings in .phpcs.xml works locally, but has no effect on GitLab's phpcs-security-audit analyzer. I can't find any documentation for it. Is it possible to configure the analyzer, and if so how?


Solution

  • Yes you can. It's simple, create directory .gitlab, inside that create file called sast-ruleset.toml. In the sast-ruleset.toml, add this following code:

    [phpcs-security-audit]
      [[phpcs-security-audit.ruleset]]
        disable = true
    
        [phpcs-security-audit.ruleset.identifier]
        type = "phpcs_security_audit_source"
        value = "PHPCS_SecurityAudit.BadFunctions.FilesystemFunctions.WarnFilesystem"
    

    value is warning that you want to ignore, you can get the value in the Security Tab, go to the warning and select the Identifiers.

    Scan Output Example

    See the Gitlab documentation for more details.