Depending on the SAST job (with needs)

rtarita · June 27, 2022, 9:50am

Hi,

I’m currently trying to figure out how one could make a job depend on the sast job. I include SAST with this part in my .gitlab-ci.yml:

sast:
  stage: scan
  needs: [gradle-assemble]
include:
  - template: Security/SAST.gitlab-ci.yml

however, I cannot make another job depend on the sast job, for example like this:

foo:
  stage: deploy
  needs: [sast]
  script:
    - echo "Hello, World!"

As far I understand it, this is because in GitLab, there’s the restriction that job dependencies must have the same rulesets (which determine if they’re executed). SAST seems to have quite complicated rulesets, because it’s extended by a bunch of “sub-scanners” which all have their own rules. The sast job itself has never as its rule, so I’m not even sure if I could replicate the ruleset on another job.

I’m wondering if there’s any way to let a job depend on SAST, with the logic that, once all applicable SAST sub-scanners (if any) complete, the job is ready to be run. If there’s no applicable scanner (no SAST job is executed), the job should be ready to run immediately.

I don’t know how one would go about implementing this in the .gitlab-ci.yml file, but if anyone knows if and how it’s possible, please let me know. Thanks!

bhushan.pathak · September 1, 2022, 2:42pm

Hi @rtarita,

Assuming your pipeline stages are like this:

stages:
  - build
  - scan
  - deploy

Your sast job falls under scan stage. To make sure sast job finishes before foo job starts, simply do not mention any needs in your foo job:

foo:
  stage: deploy
  script:
    - echo "Hello, World!"

This will make runner wait for all previous jobs to get executed successfully and then run this job. Also if you are still unsure, then you can add another job just to ensure your foo job starts only if previous jobs are executed:

sast:
  stage: scan
  needs: [gradle-assemble]
include:
  - template: Security/SAST.gitlab-ci.yml

validate:test:
  stage: deploy
  script:
    - echo "Validating scan jobs. Empty needs definition for all scan jobs to succeed"

foo:
  stage: deploy
  needs: [validate:test]
  script:
    - echo "Hello, World!"

This will make foo depends upon validate:test job to finish successfully and since validate:test job does not have any needs defined, it will wait for all previous jobs to finish including sast job.

Let me know if this works!

rtarita · September 1, 2022, 5:27pm

thank you very much, this worked!

Topic		Replies	Views
SAST Testing job not executing from gitlab GitLab CI/CD	2	619	December 2, 2024
SAST job never gets executed (free tier) DevSecOps ci , sast	0	1439	September 1, 2021
GitLab pipeline (.gitlab-ci.yml) for CI and scheduled SAST GitLab CI/CD	2	2257	November 4, 2021
Custom SAST integration not triggered GitLab CI/CD	1	1115	September 13, 2020
SAST Failure (Packer Not Found & Cannot Generate Report/s) DevSecOps ci , security , sast	2	1664	April 8, 2022

Depending on the SAST job (with needs)

Related topics