SAST Failure (Packer Not Found & Cannot Generate Report/s)

kazulin · April 8, 2022, 2:08am

Hello!

I am trying to manually enable SAST within a gitlab-ci.yml that has quite a bit of stuff already in it (stages, before_script, etc). I keep getting job failures for SAST because packer isn’t present in the image it pulls (I guess, from the before_script…still learning what someone else constructed) Can someone just explain to me how this works and/or how I can rectify this?

include:
  - local: gitlabci/validation/stuff1.yml
  - local: gitlabci/infrastructure/stuff2.yml
  - local: gitlabci/stuff.balh.yml
  - template: Security/SAST.gitlab-ci.yml
  
sast:
  stage: app security test
  allow_failure: true
  artifacts:
    name: sast
    paths:
      - gl-sast-report.json

stages:
blah 
app security test
blah

before_script:
-lots of stuff
- set -eo pipefail
- packer --version

Pipeline logs (slightly redacted):

Executing "step_script" stage of the job script
00:01
Using docker image sha256:218aa01ce977381ad45570bc801bd9cc18bfb0d70208eac5b67db55fd3044e56 for registry.gitlab.com/gitlab-org/security-products/analyzers/semgrep:2 with digest registry.gitlab.com/gitlab-org/security-products/analyzers/semgrep@sha256:7b7889a0ef09e0e9868f48117a9a325f848253f2d3b961eebbec3e1239c482f8 ...
$ export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
$ export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
$ export AWS_DEFAULT_REGION=$AWS_REGION
$ export AWS_REGION=$AWS_REGION
$ export PLUGIN_ACCESS_KEY_ID=$PLUGIN_ACCESS_KEY_ID
$ export PLUGIN_SECRET_ACCESS_KEY=$PLUGIN_SECRET_ACCESS_KEY
$ export GITLAB_TOKEN=$GITLAB_TOKEN
$ TF_VAR_stuff=${TF_VAR_stuff:0:$stuff_TRUNCATE}
$ TF_VAR_something=$(echo $TF_VAR_something | sed 's/-$//')
$ set -eo pipefail
$ packer --version
/bin/sh: eval: line 235: packer: not found
Uploading artifacts for failed job
00:01
Uploading artifacts...
WARNING: gl-sast-report.json: no matching files    
ERROR: No files to upload                          
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: exit code 127

gitlab-greg · April 8, 2022, 8:01pm

The error you’re getting is because you have a before_script that executes packer --version on all jobs in the pipeline, but SAST scanners don’t use or include a packer executable.

The pipeline logs you shared indicate that registry.gitlab.com/gitlab-org/security-products/analyzers/semgrep:2 doesn’t have a packer executable.

greg@gitlab:[~]:) docker run -it registry.gitlab.com/gitlab-org/security-products/analyzers/semgrep:2 packer --version
docker: Error response from daemon: failed to create shim: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "packer": executable file not found in $PATH: unknown.

I suggest you avoid adding global before_scripts that require third-party software inside a container image that GitLab ships, and move the packer --version part of your before script to individual jobs.

For example, instead of

include:
  - template: Security/SAST.gitlab-ci.yml

before_script:
  - packer --version

which will try to execute the packer --version command in any/all containers that your jobs use, you add the before_script only on the jobs where you know the container image has the packer executable included. Example:

include:
  - template: Security/SAST.gitlab-ci.yml

packer:
  image: hashicorp/packer
  before_script:
    - packer --version

kazulin · April 8, 2022, 10:51pm

Thank you for explaining this - it helped me understand. <3