Gitlab-ci.yml validation fails: Local file 'gitlabci/security/codeanalysis.yml' does not exist

My gitlab-ci.yml fails the vscode workflow validation with this error:

Local file ‘gitlab/security/codeanalysis.yml’ does not exist

I have it in my long list of includes in gitlab-ci.yml, including another child ci yml in the same path that does work:

  - local: gitlabci/security/codeanalysis.yml 
stages:

- code analysis

- validation

The path and yml definitely exist.

In addition, lint/workflow validation fails on the codeanalysis.yml itself saying the sast job: stage i chose doesn’t exist, though this stage is in the parent gitlab-ci.yml.

codeanalysis.yml:

variables:
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"

  SAST_EXCLUDED_ANALYZERS: ""
  SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
#  SCAN_KUBERNETES_MANIFESTS: "false"

sast:
  stage: code analysis
  artifacts:
    reports:
      sast: gl-sast-report.json
  rules:
    - when: never
  variables:
    SEARCH_MAX_DEPTH: 4
  before_script: []  
  script:
    - echo "$CI_JOB_NAME is used for configuration only, and its script should not be executed"
    - exit 1

.sast-analyzer:
  extends: sast
  allow_failure: true
  script:
    - /analyzer run

bandit-sast:
  extends: .sast-analyzer
  image:
    name: "$SAST_ANALYZER_IMAGE"
  variables:
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
  rules:
    - if: $SAST_DISABLED
      when: never
    - if: $SAST_EXCLUDED_ANALYZERS =~ /bandit/
      when: never
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/*.py'

eslint-sast:
  extends: .sast-analyzer
  image:
    name: "$SAST_ANALYZER_IMAGE"
  variables:
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
  rules:
    - if: $SAST_DISABLED
      when: never
    - if: $SAST_EXCLUDED_ANALYZERS =~ /eslint/
      when: never
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/*.html'
        - '**/*.js'
        - '**/*.jsx'
        - '**/*.ts'
        - '**/*.tsx'



I can get this working just appending the sast jobs to the parent gitlab-ci.yml, but we have a ton of local ymls included through this method that get called/work. Admittedly, I’m still learning this as a whole, but could someone explain why these errors are popping up when the file/s do exist?

Hi @kazulin

child pipelines do not inherit stages from parent pipelines. you need to define them.

1 Like