There are 2 problems, I think.
nodejs-scan-sastis scanning an excluded directory
- No artifact is produced for the scanned directory (which does have a
My project has been using the template
Security/SAST.gitlab-ci.yml and a custom sast-ruleset.toml for the nodejs-scan tool. Every time I run the
nodejs-scan-sast job, it detects and scans a directory I do not want it to scan. See below for details of directories I’ve configured to exclude. The job output is this:
$ /analyzer run [INFO] [NodeJsScan] [2021-12-22T21:57:25Z] ▶ GitLab NodeJsScan analyzer v2.20.0 [INFO] [NodeJsScan] [2021-12-22T21:57:25Z] ▶ Detecting project [INFO] [NodeJsScan] [2021-12-22T21:57:25Z] ▶ Found project in /builds/<group>/r3/mongo scripts [INFO] [NodeJsScan] [2021-12-22T21:57:25Z] ▶ Running analyzer [INFO] [NodeJsScan] [2021-12-22T21:57:25Z] ▶ Running passtroughs with timeout 60 [FATA] [NodeJsScan] [2021-12-22T22:29:33Z] ▶ open /tmp/njsscan.json: no such file or directory Uploading artifacts for failed job Uploading artifacts... WARNING: gl-sast-report.json: no matching files ERROR: No files to upload Cleaning up project directory and file based variables ERROR: Job failed: exit code 1
Of note is the fact that the first (and only) directory it scans is the
/builds/<group>/r3/mongo scripts directory, which is explicitly excluded (in 2 places below).
My project has 2 separate apps, and I would like the
nodejs-scan-sast job to only scan the directories in which the apps reside (
/app2). I could not find any documentation of how to explicitly include only certain directories (similar to this global variable:
LICENSE_FINDER_CLI_OPTS: '--aggregate_paths=app1 app2'. Documentation appears to be slim.
- Is there a way to only include certain directories for the
- Is there a solution to the missing
I have this variable set:
SAST_EXCLUDED_PATHS: spec, test, tests, tmp, data utils, devbox, mockup, mongo scripts, **/node_modules
And this is the content of my
[nodejs-scan] description = 'custom ruleset for nodejs-scan' [[nodejs-scan.passthrough]] type = "raw" value = ''' - nodejs-extensions: - .js - .jsx template-extensions: - .jade ignore-filenames: - skip.js ignore-paths: - __MACOSX - mongo scripts - **/node_modules - containers - backgrounds - devbox - mockup - QA ignore-extensions: - "" ignore-rules: - "" '''