Running the SAST analyzer fails: /analyzer: No such file or directory

Hi everyone,

I’m fairly new to this. I studied the documentation and it says to include the template Sast file Static Application Security Testing (SAST) | GitLab . So I did that:

## Common setup

before_script:
  - GRADLE_COMMAND='echo ChangeMe'

stages:
  - test
  - SAST
  - build
  - DAST
  - deploy

include:
  - local: '/.gitlab/variables.yml'
  - local: '/.gitlab/test.yml'
  - local: '/.gitlab/build.yml'
  - local: '/.gitlab/deploy.yml'
  - local: '/.gitlab/security/static_security.yml'
  - local: '/.gitlab/security/dyn_security.yml'
  - local: '/.gitlab/security/SAST.gitlab-ci.yml'

workflow:
  # Pipeline is spawned only by:
  # 1. merge request,
  # 2. push (merge) to master; deploy/* branches; release/* branches
  # 3. deploy/*/* tags or
  # 4. pipeline sources other than push or merge requests
  rules:
    - if: $CI_MERGE_REQUEST_ID
    - if: '$CI_COMMIT_BRANCH == "master" || $CI_COMMIT_BRANCH =~ /^deploy\// || $CI_COMMIT_BRANCH =~ /^release\//'
    - if: '$CI_COMMIT_TAG =~ /^deploy\/[^\/]+\/.+/'
    - if: '$CI_PIPELINE_SOURCE != "push" && $CI_PIPELINE_SOURCE != "merge_request_event"'

But running this in my project fails the sast stage with the following message:

e[0KRunning with gitlab-runner 13.2.1 (efa30e33)
e[0;me[0K  on gcp-lin-build17 zkXJ-PCC
e[0;msection_start:1611332180:prepare_executor
e[0Ke[0Ke[36;1mPreparing the "shell" executore[0;m
e[0;me[0KUsing Shell executor...
e[0;msection_end:1611332180:prepare_executor
e[0Ksection_start:1611332180:prepare_script
e[0Ke[0Ke[36;1mPreparing environmente[0;m
e[0;mRunning on gcp-lin-build17...
section_end:1611332180:prepare_script
e[0Ksection_start:1611332180:get_sources
e[0Ke[0Ke[36;1mGetting source from Git repositorye[0;m
e[0;me[32;1mFetching changes with git depth set to 50...e[0;m
Initialized empty Git repository in /var/gitlabrunner/buildbot/workspace/builds/zkXJ-PCC/0/XXX/secpipeline/.git/
e[32;1mCreated fresh repository.e[0;m
e[32;1mChecking out ed7d8603 as master...e[0;m
e[32;1mSkipping Git submodules setupe[0;m
section_end:1611332181:get_sources
e[0Ksection_start:1611332181:step_script
e[0Ke[0Ke[36;1mExecuting "step_script" stage of the job scripte[0;m
e[0;me[32;1m$ GRADLE_COMMAND='echo ChangeMe'e[0;m
e[32;1m$ /analyzer rune[0;m
bash: line 134: /analyzer: No such file or directory
section_end:1611332181:step_script
e[0Ksection_start:1611332181:upload_artifacts_on_failure
e[0Ke[0Ke[36;1mUploading artifacts for failed jobe[0;m
e[0;me[32;1mUploading artifacts...e[0;m
Runtime platform                                  e[0;m  arche[0;m=amd64 ose[0;m=linux pide[0;m=1874 revisione[0;m=efa30e33 versione[0;m=13.2.1
e[0;33mWARNING: gl-sast-report.json: no matching files   e[0;m 
e[31;1mERROR: No files to upload                         e[0;m 
section_end:1611332181:upload_artifacts_on_failure
e[0Ke[31;1mERROR: Job failed: exit status 1

Most important line: bash: line 134: /analyzer: No such file or directory

We are using Gitlab 13.X (on-prem, premium) with Runners on version 13.x and both mentioned executors.

What am I missing?

Hi @bt-nia, welcome to the community forum! :tada:

Looking at your job log, I see

Preparing the "shell" executor
Using Shell executor...

The SAST job is failing because the GitLab Runner executor is Shell.
To run SAST jobs, by default, you need GitLab Runner with the docker or kubernetes executor.

If you install GitLab Runner in a docker container and register it to your instance or project, the SAST jobs should start working as expected for you.

1 Like

Hey Greg!

thanks for the very quick response here. :slight_smile:
I found that for the job to complete correctly I need to run the job with a specific tag. My mistake was to run it on a default runner, which apparently only has the shell executor. This is what you mean as well, right?

Having to set a specific tag comes at the cost of requiring to add the full SAST yaml file to my pipeline definition file instead of only referencing the template that is part of the gitlab install. That would mean I need to manually update the definitions in case the template is being updated with a new Gitlab version. Do you have a recommendation for me to ensure that the tag is used while not sacrificing the automatic update by only referencing the template?

1 Like

Hi @bt-nia, happy to hear you got the SAST job to complete when using a non-shell runner.

I found that for the job to complete correctly I need to run the job with a specific tag. My mistake was to run it on a default runner, which apparently only has the shell executor.

It sounds like you have a shared runner registered to your GitLab able to pick up untagged jobs, and the shared runner is using the shell executor. When SAST is run on this project, it defaults to using the shared shell runner, causing the job to fail. Is this correct?

Having to set a specific tag comes at the cost of requiring to add the full SAST yaml file to my pipeline definition

Thankfuly to set SAST job to use a specific tagged runner does not require copying the entire SAST template, only specific overrides or customizations need to be added to the yaml. Just specify the tag for the sast job and the rest of the job definition will use the defaults from the latest SAST template.

For example, this CI template would triggers SAST scanning on a sast-runner tagged executor .gitlab-ci.yml:

include:
  - template: SAST.gitlab-ci.yml

sast:
  tags:
    - sast-runner

I hope this helps!

Hello @gitlab-greg !

that worked flawlessly. I now have a different error with the updated gitlab runner. Maybe I should create a new thread for this for clarity.
Summary: We were using runners version 11.3.1 (0aa5179e), which seemed to trigger a bug with the report uploading: Gitlab 11.5 codeclimate.json wrong format · Issue #192 · gabrie-allaigre/sonar-gitlab-plugin · GitHub . I asked the infrastructure team to update and now we are running 13.8.0 (775dd39d), which leads to the following issue:

e[0KRunning with gitlab-runner 13.8.0 (775dd39d)
e[0;me[0K  on gitlab-runner-gitlab-runner-698f7ccc54-7pppg usV16NMd
e[0;msection_start:1611571523:resolve_secrets
e[0Ke[0Ke[36;1mResolving secretse[0;m
e[0;msection_end:1611571523:resolve_secrets
e[0Ksection_start:1611571523:prepare_executor
e[0Ke[0Ke[36;1mPreparing the "kubernetes" executore[0;m
e[0;me[0KUsing Kubernetes namespace: gitlab-runner
e[0;me[0;33mWARNING: Pulling GitLab Runner helper image from Docker Hub. Helper image is migrating to registry.gitlab.com, for more information see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#migrating-helper-image-to-registrygitlabcom
e[0;me[0KUsing Kubernetes executor with image $SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION ...
e[0;msection_end:1611571523:prepare_executor
e[0Ksection_start:1611571523:prepare_script
e[0Ke[0Ke[36;1mPreparing environmente[0;m
e[0;msection_end:1611571523:prepare_script
e[0Ke[31;1mERROR: Job failed (system failure): prepare environment: pods is forbidden: User "system:serviceaccount:gitlab-runner:default" cannot create resource "pods" in API group "" in the namespace "gitlab-runner". Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information
e[0;m

Cheers!