Preparing the "shell" executor Using Shell executor...
The SAST job is failing because the GitLab Runner executor is Shell.
To run SAST jobs, by default, you need GitLab Runner with the docker or kubernetes executor.
If you install GitLab Runner in a docker container and register it to your instance or project, the SAST jobs should start working as expected for you.
thanks for the very quick response here.
I found that for the job to complete correctly I need to run the job with a specific tag. My mistake was to run it on a default runner, which apparently only has the shell executor. This is what you mean as well, right?
Having to set a specific tag comes at the cost of requiring to add the full SAST yaml file to my pipeline definition file instead of only referencing the template that is part of the gitlab install. That would mean I need to manually update the definitions in case the template is being updated with a new Gitlab version. Do you have a recommendation for me to ensure that the tag is used while not sacrificing the automatic update by only referencing the template?
Hi @bt-nia, happy to hear you got the SAST job to complete when using a non-shell runner.
I found that for the job to complete correctly I need to run the job with a specific tag. My mistake was to run it on a default runner, which apparently only has the shell executor.
It sounds like you have a shared runner registered to your GitLab able to pick up untagged jobs, and the shared runner is using the shell executor. When SAST is run on this project, it defaults to using the shared shell runner, causing the job to fail. Is this correct?
Having to set a specific tag comes at the cost of requiring to add the full SAST yaml file to my pipeline definition
Thankfuly to set SAST job to use a specific tagged runner does not require copying the entire SAST template, only specific overrides or customizations need to be added to the yaml. Just specify the tag for the sast job and the rest of the job definition will use the defaults from the latest SAST template.
For example, this CI template would triggers SAST scanning on a sast-runner tagged executor .gitlab-ci.yml:
that worked flawlessly. I now have a different error with the updated gitlab runner. Maybe I should create a new thread for this for clarity.
Summary: We were using runners version 11.3.1 (0aa5179e), which seemed to trigger a bug with the report uploading: Gitlab 11.5 codeclimate.json wrong format · Issue #192 · gabrie-allaigre/sonar-gitlab-plugin · GitHub . I asked the infrastructure team to update and now we are running 13.8.0 (775dd39d), which leads to the following issue:
e[0KRunning with gitlab-runner 13.8.0 (775dd39d)
e[0;me[0K on gitlab-runner-gitlab-runner-698f7ccc54-7pppg usV16NMd
e[0;msection_start:1611571523:resolve_secrets
e[0Ke[0Ke[36;1mResolving secretse[0;m
e[0;msection_end:1611571523:resolve_secrets
e[0Ksection_start:1611571523:prepare_executor
e[0Ke[0Ke[36;1mPreparing the "kubernetes" executore[0;m
e[0;me[0KUsing Kubernetes namespace: gitlab-runner
e[0;me[0;33mWARNING: Pulling GitLab Runner helper image from Docker Hub. Helper image is migrating to registry.gitlab.com, for more information see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#migrating-helper-image-to-registrygitlabcom
e[0;me[0KUsing Kubernetes executor with image $SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION ...
e[0;msection_end:1611571523:prepare_executor
e[0Ksection_start:1611571523:prepare_script
e[0Ke[0Ke[36;1mPreparing environmente[0;m
e[0;msection_end:1611571523:prepare_script
e[0Ke[31;1mERROR: Job failed (system failure): prepare environment: pods is forbidden: User "system:serviceaccount:gitlab-runner:default" cannot create resource "pods" in API group "" in the namespace "gitlab-runner". Check https://docs.gitlab.com/runner/shells/index.html#shell-profile-loading for more information
e[0;m