SAST cannot be triggered for my nodejs application

yukccy · September 28, 2020, 7:56am

I am using the official template of SAST from the following url,

gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml

# This template moved to Jobs/SAST.gitlab-ci.yml in GitLab 14.0
# Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/292977

include:
  template: Jobs/SAST.gitlab-ci.yml

For my repo, the file structure is like this, the json files are in folder deploy,

I have included the above sast template in “include” section of .gitlab-ci.yml. However, when the pipeline is triggered, only eslint-sast has triggered. And there’s no vulunerabilities shown in the eslint report. I am wondering whether nodejs-scan will trigger. Anyone can help please?

virgilwashere · October 13, 2020, 6:53am

The nodejs-scan-sast job has a rule for detecting package.json at the toplevel of the repo.

I have a similar environment to yours, so I’ve done the following to override the included nodejs scan job:

include:
  - template: Security/SAST.gitlab-ci.yml

nodejs-scan-sast:
  extends: .sast-analyzer
  image:
    name: "$SAST_ANALYZER_IMAGE"
  variables:
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
  rules:
    - if: $SAST_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH &&
        $SAST_DEFAULT_ANALYZERS =~ /nodejs-scan/
      exists:
        - "package.json"
        - "*/package.json"

Hope that helps.

Topic		Replies	Views
Custom SAST integration not triggered GitLab CI/CD	1	1026	September 13, 2020
GitLab SAST Analyzer typescript DevSecOps security	0	1241	August 11, 2022
Running the SAST analyzer fails: /analyzer: No such file or directory DevSecOps ci , runner	4	10124	January 25, 2021
SAST - not detecting secrets and passwords correctly GitLab CI/CD	1	1051	August 19, 2022
NodeJS Scan SAST scans excluded directories DevSecOps nodejs , sast	1	3409	February 10, 2022

SAST cannot be triggered for my nodejs application

Related topics