GitLab pipeline (.gitlab-ci.yml) for CI and scheduled SAST

james.watts · February 2, 2021, 9:59am

We would like to have a .gitlab-ci.yml which supports the default CI pipeline and the SAST pipeline only scheduled once a day.

lint, build, test-unit (on merge request)
test-sast (scheduled once a day)

What seems logic but didn’t work is this configuration:

include:
  - template: Security/SAST.gitlab-ci.yml
  - template: Workflows/MergeRequest-Pipelines.gitlab-ci.yml

image: node:lts-alpine

stages:
  - lint
  - build
  - test

lint:
  stage: lint
  script:
    - npm i
    - npm run lint

build:
  stage: build
  script:
    - npm i
    - npm run build

test-unit:
  stage: test
  script:
    - npm i
    - npm run test:unit

test-sast:
  stage: test
  script: [ "true" ]
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
      when: always
    - when: never

Then did some tests using the environment variable SAST_DISABLED which didn’t work as well.

May be someone has a similiar setup and may help out with a working sample?

sambrow1 · November 3, 2021, 7:01pm

Just starting to play with SAST with a maven/java project via this template and also want to, for now, run it via a scheduled pipeline rather than on every commit/push.

Running into the same issues you are describing.

Specifically, this job is running on every commit when I’d rather it not do so:

spotbugs-sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - if: "$SAST_EXCLUDED_ANALYZERS =~ /spotbugs/"
    when: never
  - if: "$SAST_EXPERIMENTAL_FEATURES == 'true'"
    exists:
    - "**/AndroidManifest.xml"
    when: never
  - if: "$SAST_DISABLED"
    when: never
  - if: "$CI_COMMIT_BRANCH"
    exists:
    - "**/*.groovy"
    - "**/*.java"
    - "**/*.scala"
    - "**/*.kt"

So far, I’ve worked around this using:

include:
    - template: Security/SAST.gitlab-ci.yml    

sast:
    rules:
        - if: $SWD_JOB_GROUP == "sast"

spotbugs-sast:
    rules:
        - if: $SWD_JOB_GROUP == "sast"

SWD_JOB_GROUP is a schedule variable set in the scheduled pipeline that is intended to run these jobs.

So, now spotbugs-sast no longer runs on commit. But this is fragile/awkward since the template could change over time and new jobs might get added that detect java and start doing things on a commit/push.

Also, another project that uses, say, Python can’t use this pipeline config as a great example to mimic since other jobs will detect **/*.py and decide to go do work on a push.

sambrow1 · November 4, 2021, 5:33pm

I later found this issue which captures this complaint well:

https://gitlab.com/gitlab-org/gitlab/-/issues/218444

Topic		Replies	Views
Trying to use Scheduled pipeline variables in Rules for include GitLab CI/CD ci , configure	0	1687	December 22, 2021
Only run one job in scheduled pipeline GitLab CI/CD	1	7853	June 9, 2022
SAST Testing job not executing from gitlab GitLab CI/CD	1	14	November 7, 2024
Running the SAST analyzer fails: /analyzer: No such file or directory DevSecOps ci , runner	4	10066	January 25, 2021
Custom SAST integration not triggered GitLab CI/CD	1	1021	September 13, 2020

GitLab pipeline (.gitlab-ci.yml) for CI and scheduled SAST

Related topics