How to configure GitLab's phpcs-security-audit analyzer?

Question

I am trying to use phpcs-security-audit by including GitLab's SAST template. It generates a report as expected, but the report is filled with warnings from libraries and specific warnings that I would like to ignore for the report to be useful.

If I ran phpcs and phpcs-security-audit myself, I could store settings in a config file. Storing settings in .phpcs.xml works locally, but has no effect on GitLab's phpcs-security-audit analyzer. I can't find any documentation for it. Is it possible to configure the analyzer, and if so how?

score 1 · Accepted Answer · edited Oct 06 '22 at 14:06

1

Yes you can. It's simple, create directory .gitlab, inside that create file called sast-ruleset.toml. In the sast-ruleset.toml, add this following code:

[phpcs-security-audit]
  [[phpcs-security-audit.ruleset]]
    disable = true

    [phpcs-security-audit.ruleset.identifier]
    type = "phpcs_security_audit_source"
    value = "PHPCS_SecurityAudit.BadFunctions.FilesystemFunctions.WarnFilesystem"

value is warning that you want to ignore, you can get the value in the Security Tab, go to the warning and select the Identifiers.

See the Gitlab documentation for more details.

edited Oct 06 '22 at 14:06

dasch88

999
10
13

answered Nov 12 '21 at 04:24

Leon

26
2

Not trying this right now, but it looks like it would be right. Thanks! – August Janse Nov 19 '21 at 09:39

How to configure GitLab's phpcs-security-audit analyzer?

1 Answers1