SAST-IaC Out-of-Memory Error in CICD Pipeline and Weird Workaround

dw_nt_i11 · July 19, 2022, 7:07pm

Running docker based gitlab-runners in AWS using SAST-IaC to scan Terraform code.
SAST-IaC fails with out-of-memory message and go stack trace. Increasing size of underlying instance does not solve the issue. The weird workaround (until GitLab can address the error) is to add SAST and exclude spotbugs analyzer.
Here is the .gitlab-ci.yml configuration used which causes the error. NOTE: These pipelines were working fine up until a month ago.

include:
  # Gitlab Templates https://gitlab.com/gitlab-org/gitlab/-/tree/master/lib/gitlab/ci/templates
  - template: Security/SAST-IaC.latest.gitlab-ci.yml
...

.source_changes_only: &source_changes_only
  changes: # https://docs.gitlab.com/ee/ci/yaml/#ruleschanges
    - ".gitlab-ci.yml"
    - "**/*.tf"
    - "**/*.tfvars"
    - "**/env/*.tfvars"
...
.appsec_scan_rule: &appsec_scan_rule
  # to generate a diff, need to scan against the default branch and the branch to merge
  if: '$CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
  <<: *source_changes_only

iac-sast:
  stage: validate-network

kics-iac-sast:
  rules:
  - *appsec_scan_rule

Here is the error:

Running with gitlab-runner 15.1.0 (76984217)
  on iaa-gitlab-group-runner 8v4tjKV5
Resolving secrets 00:00
Preparing the "docker" executor 00:07
Using Docker executor with image registry.gitlab.com/security-products/kics:2 ...
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image registry.gitlab.com/security-products/kics:2 ...
Using docker image sha256:943826ff9fc1491b9e639d5ffbfed60d3e2378e061190a46afe8145b835adeee for registry.gitlab.com/security-products/kics:2 with digest registry.gitlab.com/security-products/kics@sha256:fda4c02089fd52e6a2fe3ec2715fccda540711a1a3f5cfaf232373cbef2b4856 ...
Preparing environment 00:02
Running on runner-8v4tjkv5-project-33534461-concurrent-0 via ip-100-65-121-225...
Getting source from Git repository 00:02
Fetching changes with git depth set to 20...
Reinitialized existing Git repository in /builds/ntet/iaa/sap-fam-iac/.git/
Checking out 84b585a4 as refs/merge-requests/52/merge...
Removing computing/.terraform.lock.hcl
Removing computing/.terraform/
Removing computing/tfplan.bin
Removing computing/tfplan.json
Removing networking/.terraform.lock.hcl
Removing networking/.terraform/
Removing networking/tfplan.bin
Removing networking/tfplan.json
Skipping Git submodules setup
Executing "step_script" stage of the job script 01:51
Using docker image sha256:943826ff9fc1491b9e639d5ffbfed60d3e2378e061190a46afe8145b835adeee for registry.gitlab.com/security-products/kics:2 with digest registry.gitlab.com/security-products/kics@sha256:fda4c02089fd52e6a2fe3ec2715fccda540711a1a3f5cfaf232373cbef2b4856 ...
$ /analyzer run
[INFO] [kics] [2022-07-19T17:34:04Z] ▶ GitLab kics analyzer v2.0.3
[INFO] [kics] [2022-07-19T17:34:04Z] ▶ Detecting project
[INFO] [kics] [2022-07-19T17:34:04Z] ▶ Found relevant files in project, analyzing entire repository
[INFO] [kics] [2022-07-19T17:34:04Z] ▶ Running analyzer
[INFO] [kics] [2022-07-19T17:34:04Z] ▶ path /builds/ntet/iaa/sap-fam-iac
[INFO] [kics] [2022-07-19T17:35:52Z] ▶ Exit Status: 2
[FATA] [kics] [2022-07-19T17:35:52Z] ▶ Encountered a system problem; status code: exit status 2, output: 5:34PM WRN KICS crash report disabled
5:34PM WRN KICS crash report disabled
5:34PM INF Scanning with Keeping Infrastructure as Code Secure v1.5.10
5:34PM INF Operating system: linux
5:34PM INF Total memory: 3.8G
5:34PM INF CPU: 2.0
5:34PM INF Total files in the project: 99
5:34PM INF Loading queries of type: terraform, ansible
5:34PM INF Inspector initialized, number of queries=1262
5:34PM INF Query execution timeout=1m0s
fatal error: runtime: out of memory
runtime stack:
runtime.throw({0x7a4f0e4?, 0x24800000?})
	/usr/local/go/src/runtime/panic.go:992 +0x71
runtime.sysMap(0xc0df800000, 0xc000133e90?, 0xc000133ef8?)
	/usr/local/go/src/runtime/mem_linux.go:189 +0x11b
runtime.(*mheap).grow(0xc6b9880, 0x1222f?)
	/usr/local/go/src/runtime/mheap.go:1404 +0x225
runtime.(*mheap).allocSpan(0xc6b9880, 0x1222f, 0x0, 0x0)
	/usr/local/go/src/runtime/mheap.go:1170 +0x171
runtime.(*mheap).alloc.func1()
	/usr/local/go/src/runtime/mheap.go:912 +0x65
runtime.systemstack()
	/usr/local/go/src/runtime/asm_amd64.s:469 +0x49
goroutine 97 [running]:
runtime.systemstack_switch()
	/usr/local/go/src/runtime/asm_amd64.s:436 fp=0xc0023cc3b8 sp=0xc0023cc3b0 pc=0x467f20
runtime.(*mheap).alloc(0x2445e000?, 0x1222f?, 0x0?)
	/usr/local/go/src/runtime/mheap.go:906 +0x65 fp=0xc0023cc400 sp=0xc0023cc3b8 pc=0x4291e5
runtime.(*mcache).allocLarge(0x0?, 0x2445e000, 0x0)
	/usr/local/go/src/runtime/mcache.go:213 +0x85 fp=0xc0023cc450 sp=0xc0023cc400 pc=0x417505
runtime.mallocgc(0x2445e000, 0x77a2260, 0x1)
	/usr/local/go/src/runtime/malloc.go:1096 +0x5a5 fp=0xc0023cc4c8 sp=0xc0023cc450 pc=0x40d905
runtime.growslice(0x77a2260, {0xc0aa3a4000?, 0xc6d0ab8?, 0x0?}, 0x7fc5dcaa3770?)
	/usr/local/go/src/runtime/slice.go:278 +0x4ea fp=0xc0023cc530 sp=0xc0023cc4c8 pc=0x45056a
gopkg.in/yaml%2ev3.yaml_emitter_emit(0xc00bcf0000, 0xc6d0ab8?)
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/emitterc.go:147 +0x7d fp=0xc0023cc698 sp=0xc0023cc530 pc=0x65b23d
gopkg.in/yaml%2ev3.(*encoder).emit(0xc00bcf0000)
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:81 +0x27 fp=0xc0023cc6b8 sp=0xc0023cc698 pc=0x663187
gopkg.in/yaml%2ev3.(*encoder).mappingv(0xc00bcf0000, {0x0?, 0x0}, 0xc0023cc820)
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:264 +0x137 fp=0xc0023cc800 sp=0xc0023cc6b8 pc=0x664b77
gopkg.in/yaml%2ev3.(*encoder).mapv(0x6da58a0?, {0x0?, 0xc00a77ad20?}, {0x6da58a0?, 0xc00a77ad20?, 0xc00bcf0000?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:187 +0x5f fp=0xc0023cc858 sp=0xc0023cc800 pc=0x66411f
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6da58a0?, 0xc00a77ad20?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:164 +0x8d0 fp=0xc0023cc9a0 sp=0xc0023cc858 pc=0x663e10
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6b5e7a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc05fbd2c00?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023ccae8 sp=0xc0023cc9a0 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).slicev(0xc00bcf0000, {0x0?, 0x0}, {0x6b5e7a0?, 0xc05ca41f50?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:281 +0x1bf fp=0xc0023ccc70 sp=0xc0023ccae8 pc=0x664ddf
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6b5e7a0?, 0xc05ca41f50?, 0xc0023cce18?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:170 +0x93c fp=0xc0023ccdb8 sp=0xc0023ccc70 pc=0x663e7c
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6da58a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc05f7660a0?, 0x98?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023ccf00 sp=0xc0023ccdb8 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).mapv.func1()
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:192 +0x112 fp=0xc0023ccf98 sp=0xc0023ccf00 pc=0x664292
gopkg.in/yaml%2ev3.(*encoder).mappingv(0xc00bcf0000, {0x0?, 0x0}, 0xc0023cd100)
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:265 +0x144 fp=0xc0023cd0e0 sp=0xc0023ccf98 pc=0x664b84
gopkg.in/yaml%2ev3.(*encoder).mapv(0x6da58a0?, {0x0?, 0xc00a77acf0?}, {0x6da58a0?, 0xc00a77acf0?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:187 +0x5f fp=0xc0023cd138 sp=0xc0023cd0e0 pc=0x66411f
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6da58a0?, 0xc00a77acf0?, 0xc0023cd2e0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:164 +0x8d0 fp=0xc0023cd280 sp=0xc0023cd138 pc=0x663e10
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6da58a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc05f75dfe0?, 0x98?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023cd3c8 sp=0xc0023cd280 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).mapv.func1()
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:192 +0x112 fp=0xc0023cd460 sp=0xc0023cd3c8 pc=0x664292
gopkg.in/yaml%2ev3.(*encoder).mappingv(0xc00bcf0000, {0x0?, 0x0}, 0xc0023cd5c8)
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:265 +0x144 fp=0xc0023cd5a8 sp=0xc0023cd460 pc=0x664b84
gopkg.in/yaml%2ev3.(*encoder).mapv(0x6da58a0?, {0x0?, 0xc00a76b3e0?}, {0x6da58a0?, 0xc00a76b3e0?, 0xc0c7393940?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:187 +0x5f fp=0xc0023cd600 sp=0xc0023cd5a8 pc=0x66411f
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6da58a0?, 0xc00a76b3e0?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:164 +0x8d0 fp=0xc0023cd748 sp=0xc0023cd600 pc=0x663e10
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6b5e7a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc00a7496a0?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023cd890 sp=0xc0023cd748 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).slicev(0xc00bcf0000, {0x0?, 0x0}, {0x6b5e7a0?, 0xc05cae6420?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:281 +0x1bf fp=0xc0023cda18 sp=0xc0023cd890 pc=0x664ddf
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6b5e7a0?, 0xc05cae6420?, 0xc0023cdbc0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:170 +0x93c fp=0xc0023cdb60 sp=0xc0023cda18 pc=0x663e7c
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6da58a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc05f748280?, 0x98?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023cdca8 sp=0xc0023cdb60 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).mapv.func1()
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:192 +0x112 fp=0xc0023cdd40 sp=0xc0023cdca8 pc=0x664292
gopkg.in/yaml%2ev3.(*encoder).mappingv(0xc00bcf0000, {0x0?, 0x0}, 0xc0023cdea8)
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:265 +0x144 fp=0xc0023cde88 sp=0xc0023cdd40 pc=0x664b84
gopkg.in/yaml%2ev3.(*encoder).mapv(0x6da58a0?, {0x0?, 0xc00a76b3b0?}, {0x6da58a0?, 0xc00a76b3b0?, 0xc00bcf0000?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:187 +0x5f fp=0xc0023cdee0 sp=0xc0023cde88 pc=0x66411f
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6da58a0?, 0xc00a76b3b0?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:164 +0x8d0 fp=0xc0023ce028 sp=0xc0023cdee0 pc=0x663e10
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6b5e7a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc00a3310a0?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023ce170 sp=0xc0023ce028 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).slicev(0xc00bcf0000, {0x0?, 0x0}, {0x6b5e7a0?, 0xc05caf9a28?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:281 +0x1bf fp=0xc0023ce2f8 sp=0xc0023ce170 pc=0x664ddf
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6b5e7a0?, 0xc05caf9a28?, 0xc0023ce4a0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:170 +0x93c fp=0xc0023ce440 sp=0xc0023ce2f8 pc=0x663e7c
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6da58a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc05f748230?, 0x98?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023ce588 sp=0xc0023ce440 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).mapv.func1()
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:192 +0x112 fp=0xc0023ce620 sp=0xc0023ce588 pc=0x664292
gopkg.in/yaml%2ev3.(*encoder).mappingv(0xc00bcf0000, {0x0?, 0x0}, 0xc0023ce788)
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:265 +0x144 fp=0xc0023ce768 sp=0xc0023ce620 pc=0x664b84
gopkg.in/yaml%2ev3.(*encoder).mapv(0x6da58a0?, {0x0?, 0xc00a76b2c0?}, {0x6da58a0?, 0xc00a76b2c0?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:187 +0x5f fp=0xc0023ce7c0 sp=0xc0023ce768 pc=0x66411f
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6da58a0?, 0xc00a76b2c0?, 0xc0023ce968?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:164 +0x8d0 fp=0xc0023ce908 sp=0xc0023ce7c0 pc=0x663e10
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6da58a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc05f743e90?, 0x98?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023cea50 sp=0xc0023ce908 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).mapv.func1()
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:192 +0x112 fp=0xc0023ceae8 sp=0xc0023cea50 pc=0x664292
gopkg.in/yaml%2ev3.(*encoder).mappingv(0xc00bcf0000, {0x0?, 0x0}, 0xc0023cec50)
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:265 +0x144 fp=0xc0023cec30 sp=0xc0023ceae8 pc=0x664b84
gopkg.in/yaml%2ev3.(*encoder).mapv(0x6da58a0?, {0x0?, 0xc00a742300?}, {0x6da58a0?, 0xc00a742300?, 0xc0c70fcc70?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:187 +0x5f fp=0xc0023cec88 sp=0xc0023cec30 pc=0x66411f
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6da58a0?, 0xc00a742300?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:164 +0x8d0 fp=0xc0023cedd0 sp=0xc0023cec88 pc=0x663e10
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6b5e7a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc00a6e59e0?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023cef18 sp=0xc0023cedd0 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).slicev(0xc00bcf0000, {0x0?, 0x0}, {0x6b5e7a0?, 0xc05cc47cc8?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:281 +0x1bf fp=0xc0023cf0a0 sp=0xc0023cef18 pc=0x664ddf
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6b5e7a0?, 0xc05cc47cc8?, 0xc0023cf248?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:170 +0x93c fp=0xc0023cf1e8 sp=0xc0023cf0a0 pc=0x663e7c
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6da58a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc05f67caa0?, 0x98?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023cf330 sp=0xc0023cf1e8 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).mapv.func1()
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:192 +0x112 fp=0xc0023cf3c8 sp=0xc0023cf330 pc=0x664292
gopkg.in/yaml%2ev3.(*encoder).mappingv(0xc00bcf0000, {0x0?, 0x0}, 0xc0023cf530)
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:265 +0x144 fp=0xc0023cf510 sp=0xc0023cf3c8 pc=0x664b84
gopkg.in/yaml%2ev3.(*encoder).mapv(0x6da58a0?, {0x0?, 0xc00a7422d0?}, {0x6da58a0?, 0xc00a7422d0?, 0xc00bcf0000?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:187 +0x5f fp=0xc0023cf568 sp=0xc0023cf510 pc=0x66411f
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6da58a0?, 0xc00a7422d0?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:164 +0x8d0 fp=0xc0023cf6b0 sp=0xc0023cf568 pc=0x663e10
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6b5e7a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc00a330ca0?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023cf7f8 sp=0xc0023cf6b0 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).slicev(0xc00bcf0000, {0x0?, 0x0}, {0x6b5e7a0?, 0xc05d4bbb18?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:281 +0x1bf fp=0xc0023cf980 sp=0xc0023cf7f8 pc=0x664ddf
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6b5e7a0?, 0xc05d4bbb18?, 0xc0023cfb28?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:170 +0x93c fp=0xc0023cfac8 sp=0xc0023cf980 pc=0x663e7c
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6da58a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc05f67ca30?, 0x98?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023cfc10 sp=0xc0023cfac8 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).mapv.func1()
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:192 +0x112 fp=0xc0023cfca8 sp=0xc0023cfc10 pc=0x664292
gopkg.in/yaml%2ev3.(*encoder).mappingv(0xc00bcf0000, {0x0?, 0x0}, 0xc0023cfe10)
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:265 +0x144 fp=0xc0023cfdf0 sp=0xc0023cfca8 pc=0x664b84
gopkg.in/yaml%2ev3.(*encoder).mapv(0x6da58a0?, {0x0?, 0xc00a742240?}, {0x6da58a0?, 0xc00a742240?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:187 +0x5f fp=0xc0023cfe48 sp=0xc0023cfdf0 pc=0x66411f
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6da58a0?, 0xc00a742240?, 0xc0023cfff0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:164 +0x8d0 fp=0xc0023cff90 sp=0xc0023cfe48 pc=0x663e10
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6da58a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc05f67c750?, 0x98?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023d00d8 sp=0xc0023cff90 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).mapv.func1()
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:192 +0x112 fp=0xc0023d0170 sp=0xc0023d00d8 pc=0x664292
gopkg.in/yaml%2ev3.(*encoder).mappingv(0xc00bcf0000, {0x0?, 0x0}, 0xc0023d02d8)
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:265 +0x144 fp=0xc0023d02b8 sp=0xc0023d0170 pc=0x664b84
gopkg.in/yaml%2ev3.(*encoder).mapv(0x6da58a0?, {0x0?, 0xc00a22ea80?}, {0x6da58a0?, 0xc00a22ea80?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:187 +0x5f fp=0xc0023d0310 sp=0xc0023d02b8 pc=0x66411f
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6da58a0?, 0xc00a22ea80?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:164 +0x8d0 fp=0xc0023d0458 sp=0xc0023d0310 pc=0x663e10
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6b5e7a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc063f18120?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023d05a0 sp=0xc0023d0458 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).slicev(0xc00bcf0000, {0x0?, 0x0}, {0x6b5e7a0?, 0xc05d241a10?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:281 +0x1bf fp=0xc0023d0728 sp=0xc0023d05a0 pc=0x664ddf
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6b5e7a0?, 0xc05d241a10?, 0xc0023d08d0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:170 +0x93c fp=0xc0023d0870 sp=0xc0023d0728 pc=0x663e7c
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6da58a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc05f3838b0?, 0x98?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023d09b8 sp=0xc0023d0870 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).mapv.func1()
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:192 +0x112 fp=0xc0023d0a50 sp=0xc0023d09b8 pc=0x664292
gopkg.in/yaml%2ev3.(*encoder).mappingv(0xc00bcf0000, {0x0?, 0x0}, 0xc0023d0bb8)
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:265 +0x144 fp=0xc0023d0b98 sp=0xc0023d0a50 pc=0x664b84
gopkg.in/yaml%2ev3.(*encoder).mapv(0x6da58a0?, {0x0?, 0xc063eb9dd0?}, {0x6da58a0?, 0xc063eb9dd0?, 0xc00bcf0000?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:187 +0x5f fp=0xc0023d0bf0 sp=0xc0023d0b98 pc=0x66411f
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6da58a0?, 0xc063eb9dd0?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:164 +0x8d0 fp=0xc0023d0d38 sp=0xc0023d0bf0 pc=0x663e10
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6b5e7a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc063d13790?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023d0e80 sp=0xc0023d0d38 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).slicev(0xc00bcf0000, {0x0?, 0x0}, {0x6b5e7a0?, 0xc05d241a40?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:281 +0x1bf fp=0xc0023d1008 sp=0xc0023d0e80 pc=0x664ddf
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6b5e7a0?, 0xc05d241a40?, 0xc0023d11b0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:170 +0x93c fp=0xc0023d1150 sp=0xc0023d1008 pc=0x663e7c
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6da58a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc05ecab7e0?, 0x98?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023d1298 sp=0xc0023d1150 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).mapv.func1()
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:192 +0x112 fp=0xc0023d1330 sp=0xc0023d1298 pc=0x664292
gopkg.in/yaml%2ev3.(*encoder).mappingv(0xc00bcf0000, {0x0?, 0x0}, 0xc0023d1498)
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:265 +0x144 fp=0xc0023d1478 sp=0xc0023d1330 pc=0x664b84
gopkg.in/yaml%2ev3.(*encoder).mapv(0x6da58a0?, {0x0?, 0xc063eb9d10?}, {0x6da58a0?, 0xc063eb9d10?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:187 +0x5f fp=0xc0023d14d0 sp=0xc0023d1478 pc=0x66411f
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6d0ea20?, {0x0, 0x0}, {0x6da58a0?, 0xc063eb9d10?, 0xc0023d1678?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:164 +0x8d0 fp=0xc0023d1618 sp=0xc0023d14d0 pc=0x663e10
gopkg.in/yaml%2ev3.(*encoder).marshal(0x6da58a0?, {0x0, 0x0}, {0x6d0ea20?, 0xc05ecab320?, 0x98?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:162 +0x90b fp=0xc0023d1760 sp=0xc0023d1618 pc=0x663e4b
gopkg.in/yaml%2ev3.(*encoder).mapv.func1()
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:192 +0x112 fp=0xc0023d17f8 sp=0xc0023d1760 pc=0x664292
gopkg.in/yaml%2ev3.(*encoder).mappingv(0xc00bcf0000, {0x0?, 0x0}, 0xc0023d1960)
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:265 +0x144 fp=0xc0023d1940 sp=0xc0023d17f8 pc=0x664b84
gopkg.in/yaml%2ev3.(*encoder).mapv(0x6da58a0?, {0x0?, 0xc063eb9bf0?}, {0x6da58a0?, 0xc063eb9bf0?, 0x0?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:187 +0x5f fp=0xc0023d1998 sp=0xc0023d1940 pc=0x66411f
gopkg.in/yaml%2ev3.(*encoder).marshal(0xc00bcf0000?, {0x0, 0x0}, {0x6da58a0?, 0xc063eb9bf0?, 0x73a4860?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:164 +0x8d0 fp=0xc0023d1ae0 sp=0xc0023d1998 pc=0x663e10
gopkg.in/yaml%2ev3.(*encoder).marshalDoc(0xc00bcf0000, {0x0, 0x0}, {0x6da58a0?, 0xc063eb9bf0?, 0xc0584fc6f8?})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/encode.go:105 +0x185 fp=0xc0023d1d60 sp=0xc0023d1ae0 pc=0x663445
gopkg.in/yaml%2ev3.Marshal({0x6da58a0?, 0xc063eb9bf0})
	/go/pkg/mod/gopkg.in/yaml.v3@v3.0.1/yaml.go:222 +0x370 fp=0xc0023d2090 sp=0xc0023d1d60 pc=0x683c10
github.com/Checkmarx/kics/pkg/resolver/file.(*Resolver).Resolve(0xc0023e55d8, {0xc00e28a000, 0x50bd, 0x5500}, {0xc058397a70, 0x2b}, 0xc063eb9110?)
	/app/pkg/resolver/file/file.go:47 +0xe2 fp=0xc0023d20e0 sp=0xc0023d2090 pc=0x63cae02
github.com/Checkmarx/kics/pkg/resolver/file.(*Resolver).resolvePath(0xc0023e55d8, {0xc00209d080, 0x28}, {0xc00209cf00?, 0x0?}, 0x2f)
	/app/pkg/resolver/file/file.go:118 +0x431 fp=0xc0023d2248 sp=0xc0023d20e0 pc=0x63cb6d1
github.com/Checkmarx/kics/pkg/resolver/file.(*Resolver).walk(0x10?, {0x6c1f780?, 0xc000dd9200?}, {0xc00209cf00?, 0xc0032c9dd8?}, 0x6da58a0?)
	/app/pkg/resolver/file/file.go:59 +0xd4 fp=0xc0023d22c0 sp=0xc0023d2248 pc=0x63caf74
github.com/Checkmarx/kics/pkg/resolver/file.(*Resolver).walk(0xc0023e55d8?, {0x6b5e7a0?, 0xc001eb5260?}, {0xc00209cf00, 0x2b}, 0xffffffffffffffff?)
	/app/pkg/resolver/file/file.go:62 +0x17d fp=0xc0023d2338 sp=0xc0023d22c0 pc=0x63cb01d
github.com/Checkmarx/kics/pkg/resolver/file.(*Resolver).handleMap(0xc0023e55d8?, 0x0?, {0xc00209cf00, 0x2b}, 0xc00089b830?)
	/app/pkg/resolver/file/file.go:74 +0xdb fp=0xc0023d2410 sp=0xc0023d2338 pc=0x63cb19b
github.com/Checkmarx/kics/pkg/resolver/file.(*Resolver).walk(0xc0023e55d8?, {0x6da58a0?, 0xc00089b860?}, {0xc00209cf00?, 0x50000000000002b?}, 0xffffffffffffffff?)
	/app/pkg/resolver/file/file.go:66 +0xfb fp=0xc0023d2488 sp=0xc0023d2410 pc=0x63caf9b
github.com/Checkmarx/kics/pkg/resolver/file.(*Resolver).walk(0xc0023d2568?, {0x6b5e7a0?, 0xc001eb5350?}, {0xc00209cf00, 0x2b}, 0xc0023d25a0?)
	/app/pkg/resolver/file/file.go:62 +0x17d fp=0xc0023d2500 sp=0xc0023d2488 pc=0x63cb01d
github.com/Checkmarx/kics/pkg/resolver/file.(*Resolver).handleMap(0xc0023eb460?, 0x413699?, {0xc00209cf00, 0x2b}, 0x60000c0032e4b28?)
	/app/pkg/resolver/file/file.go:74 +0xdb fp=0xc0023d25d8 sp=0xc0023d2500 pc=0x63cb19b
github.com/Checkmarx/kics/pkg/resolver/file.(*Resolver).walk(0xc0023d26b8?, {0x6da58a0?, 0xc00089b800?}, {0xc00209cf00?, 0x2b?}, 0xc0023d2690?)
	/app/pkg/resolver/file/file.go:66 +0xfb fp=0xc0023d2650 sp=0xc0023d25d8 pc=0x63caf9b
github.com/Checkmarx/kics/pkg/resolver/file.(*Resolver).handleMap(0xc0001bb800?, 0x683840?, {0xc00209cf00, 0x2b}, 0xc0023d2730?)
	/app/pkg/resolver/file/file.go:74 +0xdb fp=0xc0023d2728 sp=0xc0023d2650 pc=0x63cb19b
github.com/Checkmarx/kics/pkg/resolver/file.(*Resolver).walk(0xc0032ca000?, {0x6da58a0?, 0xc00089b0b0?}, {0xc00209cf00?, 0xc001f64a50?}, 0x50bd?)
	/app/pkg/resolver/file/file.go:66 +0xfb fp=0xc0023d27a0 sp=0xc0023d2728 pc=0x63caf9b
github.com/Checkmarx/kics/pkg/resolver/file.(*Resolver).Resolve(0xc0023e55d8, {0xc0032ca000, 0x50bd, 0x5500}, {0xc00209cf00, 0x2b}, 0x0?)
	/app/pkg/resolver/file/file.go:45 +0xae fp=0xc0023d27f0 sp=0xc0023d27a0 pc=0x63cadce
...additional frames elided...
created by github.com/Checkmarx/kics/pkg/scanner.PrepareAndScan
	/app/pkg/scanner/scanner.go:24 +0xe7
goroutine 1 [select, 1 minutes]:
github.com/Checkmarx/kics/pkg/scanner.PrepareAndScan({0x8828230?, 0xc0000c2068}, {0x79f29db, 0x7}, {0x0?}, {0xc00089e9c0?, 0x3, 0x3})
	/app/pkg/scanner/scanner.go:35 +0x2eb
github.com/Checkmarx/kics/pkg/scan.(*Client).executeScan(0xc001a3a000, {0x8828230, 0xc0000c2068})
	/app/pkg/scan/scan.go:134 +0xa5
github.com/Checkmarx/kics/pkg/scan.(*Client).PerformScan(0xc001a3a000, {0x8828230, 0xc0000c2068})
	/app/pkg/scan/client.go:85 +0x65
github.com/Checkmarx/kics/internal/console.executeScan(0x7a00001?)
	/app/internal/console/scan.go:161 +0xbd
github.com/Checkmarx/kics/internal/console.run(0x0?)
	/app/internal/console/scan.go:98 +0x1fe
github.com/Checkmarx/kics/internal/console.NewScanCmd.func2(0xc001987900?, {0x79eabd0?, 0xe?, 0xe?})
	/app/internal/console/scan.go:43 +0x19
github.com/spf13/cobra.(*Command).execute(0xc001987900, {0xc0003fc700, 0xe, 0xe})
	/go/pkg/mod/github.com/spf13/cobra@v1.4.0/command.go:856 +0x67c
github.com/spf13/cobra.(*Command).ExecuteC(0xc001987680)
	/go/pkg/mod/github.com/spf13/cobra@v1.4.0/command.go:974 +0x3b4
github.com/spf13/cobra.(*Command).Execute(...)
	/go/pkg/mod/github.com/spf13/cobra@v1.4.0/command.go:902
github.com/spf13/cobra.(*Command).ExecuteContext(...)
	/go/pkg/mod/github.com/spf13/cobra@v1.4.0/command.go:895
github.com/Checkmarx/kics/internal/console.Execute()
	/app/internal/console/kics.go:84 +0xae
main.main()
	/app/cmd/console/main.go:12 +0x19
goroutine 21 [select]:
go.opencensus.io/stats/view.(*worker).start(0xc0001b8400)
	/go/pkg/mod/go.opencensus.io@v0.23.0/stats/view/worker.go:276 +0xad
created by go.opencensus.io/stats/view.init.0
	/go/pkg/mod/go.opencensus.io@v0.23.0/stats/view/worker.go:34 +0x8d
goroutine 51 [syscall, 1 minutes]:
os/signal.signal_recv()
	/usr/local/go/src/runtime/sigqueue.go:151 +0x2f
os/signal.loop()
	/usr/local/go/src/os/signal/signal_unix.go:23 +0x19
created by os/signal.Notify.func1.1
	/usr/local/go/src/os/signal/signal.go:151 +0x2a
goroutine 52 [chan receive, 1 minutes]:
github.com/Checkmarx/kics/internal/console.gracefulShutdown.func1(0x1, 0x0?)
	/app/internal/console/scan.go:179 +0x2b
created by github.com/Checkmarx/kics/internal/console.gracefulShutdown
	/app/internal/console/scan.go:178 +0x11a
goroutine 60 [sleep]:
time.Sleep(0x5f5e100)
	/usr/local/go/src/runtime/time.go:194 +0x12e
github.com/Checkmarx/kics/pkg/progress/circle.ProgressBar.Start({{0x7a52c6d?, 0x0?}, 0xc001b58000?, 0xc0013020b0?})
	/app/pkg/progress/circle/circle_progress.go:51 +0x3d
created by github.com/Checkmarx/kics/pkg/scan.(*Client).initScan
	/app/pkg/scan/scan.go:44 +0x12c
goroutine 99 [semacquire, 1 minutes]:
sync.runtime_Semacquire(0xc0008349c0?)
	/usr/local/go/src/runtime/sema.go:56 +0x25
sync.(*WaitGroup).Wait(0x4421a5?)
	/usr/local/go/src/sync/waitgroup.go:136 +0x52
github.com/Checkmarx/kics/pkg/scanner.PrepareAndScan.func1()
	/app/pkg/scanner/scanner.go:31 +0x65
created by github.com/Checkmarx/kics/pkg/scanner.PrepareAndScan
	/app/pkg/scanner/scanner.go:27 +0x285
Uploading artifacts for failed job 00:05
Uploading artifacts...
WARNING: gl-sast-report.json: no matching files. Ensure that the artifact path is relative to the working directory 
ERROR: No files to upload                          
Cleaning up project directory and file based variables 00:01
ERROR: Job failed: exit code 1

Oddly enough the workaround is to also add SAST, but exclude the spotbugs analyzer. This counter-intuitive, but it works!

Here is the Workaround Configuration:

include:
  # Gitlab Templates https://gitlab.com/gitlab-org/gitlab/-/tree/master/lib/gitlab/ci/templates
  - template: Security/SAST-IaC.latest.gitlab-ci.yml
# Don't need SAST only SAST-IaC. However, weird out-of-memory error seems to be eliminated if spotbugs SAST Analyzer
# is excluded for some reason. See: Issue #10-kics-iac-sast failing in SAP FAM IAC Pipelines
# https://gitlab.com/ntet/iaa/sap-fam-iac/-/issues/10
  - template: Security/SAST.gitlab-ci.yml

variables:
  SAST_EXCLUDED_ANALYZERS: "spotbugs"

...

sast:
  stage: validate-network

iac-sast:
  stage: validate-network

kics-iac-sast:
  rules:
  - *appsec_scan_rule

Topic		Replies	Views
SAST-iac timeout after 1h DevSecOps	3	899	May 21, 2024
Issue with SAST IaC uploading artifacts - permission denied DevSecOps ci , runner , kubernetes , pipelines , sast	0	1401	May 20, 2022
Gitlab SAST.gitlab-ci.yml on java project fails DevSecOps ci , java , security	2	1726	October 11, 2022
SAST scanner only finds unknown severity DevSecOps sast	0	619	October 15, 2020
Running the SAST analyzer fails: /analyzer: No such file or directory DevSecOps ci , runner	4	10290	January 25, 2021

SAST-IaC Out-of-Memory Error in CICD Pipeline and Weird Workaround

Here is the error:

Here is the Workaround Configuration:

Related topics