I am trying to introduce the default SAST scanner by adding the SAST template in my pipeline. However, this causes the build to run in the SAST scan job. Since the SAST scan is running in the test stage I want to pass the artifact built in the build stage earlier. This would reduce some execution time of my pipeline.
However, I am unable to do this. The documentation alluded to this in the following section :=
If your project requires custom build configurations, it can be preferable to avoid compilation during your SAST execution and instead pass all job artifacts from an earlier stage in the pipeline. **This is the current strategy when requiring a before_script execution to prepare your scan job.**
I am not able to understand how can I leverage the before_script to pass the artifact from build stage to test stage.
Hi @arcesium-shuklama
all artifacts are by default passed to every job in subsequent stages. All you need to do is to define artifact in your build job and it will be available for SAST jobs running in next stage.
Thanks @balonik for taking the time to reply on my query.
I was under the same assumption. However, when I include the SAST template and enable debug logs for SAST, I can see that the artifacts are being build once again in the sast stage.
The project is a maven project and I can see that the mvn compilation is being done once more.
Oh, and did you specify the COMPILE: false variable as mentioned in the docs?
To pass your project’s dependencies as artifacts, the dependencies must be included in the project’s working directory and specified using the artifacts:path configuration. If all dependencies are present, the COMPILE=false CI/CD variable can be provided to the analyzer and compilation is skipped
@balonik : Thanks again for the quick response.
The compile flag did stop the mvn goal but the sast report now contains zero findings while earlier it had a bunch of findings.
Here is a snippet of my gitlab-ci yaml. Also attached is the sast report.
include:
- template: Security/SAST.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
backend_package:
image: "674283286888.dkr.ecr.us-east-1.amazonaws.com/core-infra/openjdk:11"
stage: build
script:
- ./mvnw package -Dmaven.repo.local=./.m2/repository
artifacts:
paths:
- target/${BACKEND_ARTIFACT_NAME}-${BACKEND_ARTIFACT_VERSION}.war
- .m2/
spotbugs-sast:
dependencies:
- backend_package
variables:
COMPILE: "false"
MAVEN_REPO_PATH: ./.m2/repository
From what I can tell, the spotbugs-sast is using install instead of package. I couldn’t find in Spotbugs docs if it needs binaries in repository.
You can try to set this variable for spotbugs-sast job to increase it’s verbosity SECURE_LOG_LEVEL: "debug". Maybe something will hint why the report is empty now.
