Issue with SAST report artefact (brakeman - ruby/rails)

I faced with Issue with SAST report artefact (brakeman - ruby/rails) - the report is empty, but locally brakeman finds at least one security issue.

Here is our SAST ci file:

variables:
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"

  SAST_DEFAULT_ANALYZERS: "brakeman, nodejs-scan, eslint, tslint"
  SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
  SAST_ANALYZER_IMAGE_TAG: 2.2.0
  SAST_DISABLE_DIND: "true"
  SCAN_KUBERNETES_MANIFESTS: "false"
  SAST_BRAKEMAN_LEVEL: 1

sast:
  stage: test
  allow_failure: true
  artifacts:
    reports:
      sast: gl-sast-report.json
  rules:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'true'
      when: never
    - if: $CI_COMMIT_BRANCH && $GITLAB_FEATURES =~ /\bsast\b/
  image: docker:stable
  variables:
    SEARCH_MAX_DEPTH: 4
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_CERTDIR: ""
  services:
    - docker:stable-dind
  script:
    - |
      if ! docker info &>/dev/null; then
        if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
          export DOCKER_HOST='tcp://localhost:2375'
        fi
      fi
    - |
      docker run \
        $(awk 'BEGIN{for(v in ENVIRON) print v}' | grep -v -E '^(DOCKER_|CI|GITLAB_|FF_|HOME|PWD|OLDPWD|PATH|SHLVL|HOSTNAME)' | awk '{printf " -e %s", $0}') \
        --volume "$PWD:/code" \
        --volume /var/run/docker.sock:/var/run/docker.sock \
        "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_ANALYZER_IMAGE_TAG" /app/bin/run /code

.sast-analyzer:
  extends: sast
  services: []
  rules:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast\b/
  script:
    - /analyzer run

brakeman-sast:
  extends: .sast-analyzer
  image:
    name: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
  rules:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $SAST_DEFAULT_ANALYZERS =~ /brakeman/
      exists:
        - 'config/routes.rb'

eslint-sast:
  extends: .sast-analyzer
  image:
    name: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
  rules:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /eslint/
      exists:
        - '**/*.html'
        - '**/*.js'

nodejs-scan-sast:
  extends: .sast-analyzer
  image:
    name: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
  rules:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/
      exists:
        - 'package.json'

tslint-sast:
  extends: .sast-analyzer
  image:
    name: "$SECURE_ANALYZERS_PREFIX/tslint:$SAST_ANALYZER_IMAGE_TAG"
  rules:
    - if: $SAST_DISABLED || $SAST_DISABLE_DIND == 'false'
      when: never
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bsast\b/ &&
          $SAST_DEFAULT_ANALYZERS =~ /tslint/
      exists:
        - '**/*.ts'

And here is the artefact report which is produced by SAST analyzer:

{
  "version": "2.4",
  "vulnerabilities": [],
  "remediations": []
}

But locally the brakeman produces security alerts.

Thank you and waiting for the help!

Hi,

can you please share the local calls to the scanner, as well as the executed command line from the CI job? There might be a difference here which produces different results.

Cheers,
Michael

Right after ‘bundle install’ it’s called also next command (on gitlab CI):

/analyzer run

And locally I run just:

brakeman

Hi,

it seems that the CI configuration produces different results from inside the Docker image then. Is there are specific reason why you are not using the vendored CI templates? I’ve found them very convenient to use, without having to worry about the “internal” best practice settings and changes over time.

There might also be certain default config settings which influence the behaviour of the security scanner, e.g. the path traversal max depth. In order to get a better picture, can you share the source code and structure, or portions of it including the CI config in a repository to understand and reproduce? Thanks!

Cheers,
Michael