How to activate SAST policy for Merge Request

andjoe · September 20, 2023, 7:10am

I have the following policy:

---
scan_execution_policy:
- name: Test SAST Scanning
  description: Testing for usage of features.
  enabled: true
  rules:
  - type: pipeline
    branches:
    - merge_requests
  - type: pipeline
    branches:
    - main
  - type: pipeline
    branches:
    - master
  actions:
  - scan: sast
    tags: []

This wont work with the merge_request pipeline that we build the current tooling is built around with the following rules:

  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'

If I change the rule to use * instead for the branches it will run but in a separate pipeline like this:

So question is do I need to change the rule to run in not merge request and use branches instead (or another way):

  only:
    - branches

Or can I change the policy to trigger so the sast, dast and whatnot is running in the same pipeline instead of 2 separate pipelines?

balonik · September 20, 2023, 7:43am

There is no option.

branches:
    - merge_requests

I am not sure it can be applied to MR pipelines. But since you have a paid subscription I suggest to reach out to GitLab Support at support.gitlab.com where you will get faster and more qualified reply. This is just a community forum and not an official support channel.

Topic		Replies	Views
MR Approvals How to Use GitLab	2	253	June 29, 2023
Rules and including only one folder in security scans are not working GitLab CI/CD sast	0	560	May 1, 2023
Disable CI/CD pipelines when merge request is updated GitLab CI/CD merge-requests , pipelines , cicd	1	2918	March 27, 2024
Merge request considering merge-request pipelines instead of branch pipelines GitLab CI/CD ci , runner , merge-requests , pipelines	1	45	September 10, 2024
Disabling specific policies when using security policies per project DevSecOps	0	510	July 21, 2023

How to activate SAST policy for Merge Request

Related Topics