1.Yes, any git repo that can be mirrored into GitLab so the pipeline can access it https://docs.gitlab.com/ee/ci/ci_cd_for_external_repos/#gitlab-cicd-for-external-repositories-premium
2. Being worked.
3. Yes, but project either needs to be public or users have to validate credentials to get to containers
4. Maven, NPM and a few others now. Nuget and Helm are coming, I don’t have the issue handy to reference.
5. Not understanding the question
6. SAST works by scanning individual changes for vulnerabilities introduced. A commit on a branch undergoes SAST when the pipeline runs. There is a dashboard at the project and group level that shows the vunlerabilities.
7. The report is on the Merge Request or the Dashboard since that’s where the information is most valuable for making decisions about merging code.
Hi Vish - what are you using for a CR tool? You should be able to set up a job in your pipeline that fetches the SAST JSON artifact from the artifact repo on the GitLab server, pipe the JSON through something like ./jq to pretty-print it and then pipe that to a PDF creator. If the CR tool has an API it may be possible to attach the PDF, too. I don’t have an example to share though.