NodeJS Scan SAST scans excluded directories

There are 2 problems, I think.

  1. nodejs-scan-sast is scanning an excluded directory
  2. No artifact is produced for the scanned directory (which does have a package.json file)

My project has been using the template Security/SAST.gitlab-ci.yml and a custom sast-ruleset.toml for the nodejs-scan tool. Every time I run the nodejs-scan-sast job, it detects and scans a directory I do not want it to scan. See below for details of directories I’ve configured to exclude. The job output is this:

$ /analyzer run
[INFO] [NodeJsScan] [2021-12-22T21:57:25Z] ▶ GitLab NodeJsScan analyzer v2.20.0
[INFO] [NodeJsScan] [2021-12-22T21:57:25Z] ▶ Detecting project
[INFO] [NodeJsScan] [2021-12-22T21:57:25Z] ▶ Found project in /builds/<group>/r3/mongo scripts
[INFO] [NodeJsScan] [2021-12-22T21:57:25Z] ▶ Running analyzer
[INFO] [NodeJsScan] [2021-12-22T21:57:25Z] ▶ Running passtroughs with timeout 60
[FATA] [NodeJsScan] [2021-12-22T22:29:33Z] ▶ open /tmp/njsscan.json: no such file or directory
Uploading artifacts for failed job
Uploading artifacts...
WARNING: gl-sast-report.json: no matching files    
ERROR: No files to upload                          
Cleaning up project directory and file based variables
ERROR: Job failed: exit code 1

Of note is the fact that the first (and only) directory it scans is the /builds/<group>/r3/mongo scripts directory, which is explicitly excluded (in 2 places below).

My project has 2 separate apps, and I would like the nodejs-scan-sast job to only scan the directories in which the apps reside (/app1 and /app2). I could not find any documentation of how to explicitly include only certain directories (similar to this global variable: LICENSE_FINDER_CLI_OPTS: '--aggregate_paths=app1 app2'. Documentation appears to be slim.

  • Is there a way to only include certain directories for the nodejs-scan-sast job?
  • Is there a solution to the missing /tmp/njsscan.json file problem?

I have this variable set:
SAST_EXCLUDED_PATHS: spec, test, tests, tmp, data utils, devbox, mockup, mongo scripts, **/node_modules

And this is the content of my sast-rulest.toml file:

  description = 'custom ruleset for nodejs-scan'

    type  = "raw"
    value = '''
- nodejs-extensions:
    - .js
    - .jsx

    - .jade

    - skip.js

    - __MACOSX
    - mongo scripts
    - **/node_modules
    - containers
    - backgrounds
    - devbox
    - mockup
    - QA

    - ""

    - ""

I know it some time passed but if you are still experiencing issues with file it is probably because you have typo in filename. It needs to be .gitlab/sast-ruleset.toml.