I’m currently trying to figure out how one could make a job depend on the
sast job. I include SAST with this part in my
sast: stage: scan needs: [gradle-assemble] include: - template: Security/SAST.gitlab-ci.yml
however, I cannot make another job depend on the
sast job, for example like this:
foo: stage: deploy needs: [sast] script: - echo "Hello, World!"
As far I understand it, this is because in GitLab, there’s the restriction that job dependencies must have the same rulesets (which determine if they’re executed). SAST seems to have quite complicated rulesets, because it’s extended by a bunch of “sub-scanners” which all have their own rules. The
sast job itself has
never as its rule, so I’m not even sure if I could replicate the ruleset on another job.
I’m wondering if there’s any way to let a job depend on SAST, with the logic that, once all applicable SAST sub-scanners (if any) complete, the job is ready to be run. If there’s no applicable scanner (no SAST job is executed), the job should be ready to run immediately.
I don’t know how one would go about implementing this in the
.gitlab-ci.yml file, but if anyone knows if and how it’s possible, please let me know. Thanks!