Depending on the SAST job (with needs)


I’m currently trying to figure out how one could make a job depend on the sast job. I include SAST with this part in my .gitlab-ci.yml:

  stage: scan
  needs: [gradle-assemble]
  - template: Security/SAST.gitlab-ci.yml

however, I cannot make another job depend on the sast job, for example like this:

  stage: deploy
  needs: [sast]
    - echo "Hello, World!"

As far I understand it, this is because in GitLab, there’s the restriction that job dependencies must have the same rulesets (which determine if they’re executed). SAST seems to have quite complicated rulesets, because it’s extended by a bunch of “sub-scanners” which all have their own rules. The sast job itself has never as its rule, so I’m not even sure if I could replicate the ruleset on another job.

I’m wondering if there’s any way to let a job depend on SAST, with the logic that, once all applicable SAST sub-scanners (if any) complete, the job is ready to be run. If there’s no applicable scanner (no SAST job is executed), the job should be ready to run immediately.

I don’t know how one would go about implementing this in the .gitlab-ci.yml file, but if anyone knows if and how it’s possible, please let me know. Thanks!