I have been adding in the GitLab SAST template to a project and noticed that all the
*-sast seem to run for all merge requests, even through they have the
exists rule present and we don’t have any files in the repo that match the globs, using the
brakeman-sast as an example, the rule is
- if: ($CI_COMMIT_BRANCH || $CI_MERGE_REQUEST_IID) exists: - '**/*.rb' - '**/Gemfile'
And even though we have no
*.rb files or
Gemfile files (it’s a Laravel/PHP application), it will always run and gives the following output
$ /analyzer run [INFO] [Brakeman] [2021-10-26T06:02:23Z] ▶ GitLab Brakeman analyzer v2.20.1 [INFO] [Brakeman] [2021-10-26T06:02:23Z] ▶ Detecting project [WARN] [Brakeman] [2021-10-26T06:02:23Z] ▶ No match in /builds/2TPyCzgz/4/espadav8/example
Is there something we have set up incorrectly in the rules? my understanding is that both the
if and the
exists should be
true for it to match and run that job.