I have been adding in the GitLab SAST template to a project and noticed that all the *-sast
seem to run for all merge requests, even through they have the exists
rule present and we don’t have any files in the repo that match the globs, using the brakeman-sast
as an example, the rule is
- if: ($CI_COMMIT_BRANCH || $CI_MERGE_REQUEST_IID)
exists:
- '**/*.rb'
- '**/Gemfile'
And even though we have no *.rb
files or Gemfile
files (it’s a Laravel/PHP application), it will always run and gives the following output
$ /analyzer run
[INFO] [Brakeman] [2021-10-26T06:02:23Z] ▶ GitLab Brakeman analyzer v2.20.1
[INFO] [Brakeman] [2021-10-26T06:02:23Z] ▶ Detecting project
[WARN] [Brakeman] [2021-10-26T06:02:23Z] ▶ No match in /builds/2TPyCzgz/4/espadav8/example
Is there something we have set up incorrectly in the rules? my understanding is that both the if
and the exists
should be true
for it to match and run that job.
Thanks