Depending on the SAST job (with needs)

Hi,

I’m currently trying to figure out how one could make a job depend on the sast job. I include SAST with this part in my .gitlab-ci.yml:

sast:
  stage: scan
  needs: [gradle-assemble]
include:
  - template: Security/SAST.gitlab-ci.yml

however, I cannot make another job depend on the sast job, for example like this:

foo:
  stage: deploy
  needs: [sast]
  script:
    - echo "Hello, World!"

As far I understand it, this is because in GitLab, there’s the restriction that job dependencies must have the same rulesets (which determine if they’re executed). SAST seems to have quite complicated rulesets, because it’s extended by a bunch of “sub-scanners” which all have their own rules. The sast job itself has never as its rule, so I’m not even sure if I could replicate the ruleset on another job.

I’m wondering if there’s any way to let a job depend on SAST, with the logic that, once all applicable SAST sub-scanners (if any) complete, the job is ready to be run. If there’s no applicable scanner (no SAST job is executed), the job should be ready to run immediately.

I don’t know how one would go about implementing this in the .gitlab-ci.yml file, but if anyone knows if and how it’s possible, please let me know. Thanks!

Hi @rtarita,

Assuming your pipeline stages are like this:

stages:
  - build
  - scan
  - deploy

Your sast job falls under scan stage. To make sure sast job finishes before foo job starts, simply do not mention any needs in your foo job:

foo:
  stage: deploy
  script:
    - echo "Hello, World!"

This will make runner wait for all previous jobs to get executed successfully and then run this job. Also if you are still unsure, then you can add another job just to ensure your foo job starts only if previous jobs are executed:

sast:
  stage: scan
  needs: [gradle-assemble]
include:
  - template: Security/SAST.gitlab-ci.yml

validate:test:
  stage: deploy
  script:
    - echo "Validating scan jobs. Empty needs definition for all scan jobs to succeed"

foo:
  stage: deploy
  needs: [validate:test]
  script:
    - echo "Hello, World!"

This will make foo depends upon validate:test job to finish successfully and since validate:test job does not have any needs defined, it will wait for all previous jobs to finish including sast job.

Let me know if this works!

1 Like

thank you very much, this worked!