Skip to content

Configure Scanners

The Global Configuration feature allows users to centrally manage scanner settings across supported tools. It provides a unified location to configure tokens for Semgrep Pro and Snyk, and to define and maintain advanced rule sets for Semgrep and CodeQL. Additionally, it supports configuration of the Gitleaks scanner for secrets detection. This centralized approach streamlines the provisioning and management of scanner coverage across your assets.

Common Configuration Steps

Before configuring any scanner, follow these initial steps:

  1. Navigate to the Scanner Coverage page.

  2. Click the Actions button at the top right corner of the page.

    Click Actions

  3. Click the Configure Scanners button.

    Configure Scanners

1. CodeQL

To configure the CodeQL scanner,

  1. Complete the Common Configuration Steps.

  2. Select "Enable" for the CodeQL scanner.

    Enable CodeQL

  3. Click the Add Configuration button.

    Add configuratio

  4. Provide the required fields Configuration and Language. Optional parameters include Create Arguments and Analyze Arguments.

    Add Rule Set button

  5. Click the Save button to finalize the configuration.

2. Semgrep

To configure the Semgrep scanner:

  1. Store your custom rules in an internet reachable location (e.g., GitLab packages).
  2. Complete the Common Configuration Steps.

  3. Select "Enable" for the Semgrep scanner.

    Enable Semgrep

  4. Click the Add Rule Set button to add the Rule Set (Name) and the corresponding Rule. In the Rule field, enter the following URLs:

    1. https://assets.build.boostsecurity.io/semgrep-rules/stable/all-sast-rules.yml (This is BoostSecurity's default ruleset)
    2. https://example.com/PATH/TO/RULES/LOCATION

    "URLs must be space-separated to be parsed correctly."

    Add Rule Set button

    Add Rule Set and Rule

  5. Click the Save button to confirm and store the custom configuration.

  6. Proceed to apply the new semgrep configuration to the code repositories using the following steps:

    1. Deprovision the Semgrep scanner (Only if already provisioned) on the relevant repositories. Do so using the advanced provisioning tab to ensure the data associated with the scans are not deleted.

      Deprovision Semgrep Scanner

      Complete Deprovisioning

    2. Then using the advanced provisioning tab, reprovision Semgrep on the selected code repository(ies).

    3. On the next step, select the newly created custom rule set.

      Select custom ruleset

    4. Click Complete to finalize and activate the custom ruleset across the selected repositories.

Note

When configuring Semgrep, you should know that any combination of rulesets can be provided. The file extension at the end of the URL must be either .yaml or .yml, and custom rulesets can also be defined per code repository if they are located in the .semgrep/ directory.

3. Semgrep Pro

To configure the Semgrep Pro scanner:

  1. Complete the Common Configuration Steps.

  2. Select "Enable" for the Semgrep Pro scanner.

    Enable Semgrep Pro

  3. Enter your Token and click the Add Rule Set button to add the Rule Set (Name) and the corresponding Rule.

    Configure Semgrep Pro Scanner

  4. Click the Save button to finalize the configured scanner.

4. Snyk

To configure the Synk scanner:

  1. Complete the Common Configuration Steps.

  2. Select "Enable" for the Synk scanner.

    Enable Synk

  3. Enter the Token and click the Save button to finalize the details.

    Configure Snyk Scanner