SAST job never gets executed (free tier)
I am trying to get SAST up and running, but the test stage of SAST never gets created or executed. My .gitlab-ci.yml is pretty basic:
image: ubuntu:20.04
stages:
- build
- test
compile:
stage: build
tags:
- docker
script:
- echo "Building"
sast:
stage: test
script: echo "Running SAST"
include:
- template: Security/SAST.gitlab-ci.yml
When now a pipeline gets created and executes the only stage that will run is the build stage. The test stage won’t even show up.
Interestingly if I look at the ci editor and view the merged yaml it reads:
---
variables:
SECURE_ANALYZERS_PREFIX: registry.gitlab.com/gitlab-org/security-products/analyzers
SAST_EXCLUDED_ANALYZERS: ''
SAST_EXCLUDED_PATHS: spec, test, tests, tmp
SCAN_KUBERNETES_MANIFESTS: 'false'
sast:
stage: test
artifacts:
reports:
sast:
- gl-sast-report.json
rules:
- when: never
variables:
SEARCH_MAX_DEPTH: 4
script: echo "Running SAST"
".sast-analyzer":
stage: test
artifacts:
reports:
sast: gl-sast-report.json
rules:
- when: never
variables:
SEARCH_MAX_DEPTH: 4
script:
- "/analyzer run"
extends: sast
allow_failure: true
bandit-sast:
stage: test
artifacts:
reports:
sast:
- gl-sast-report.json
rules:
- if: "$SAST_DISABLED"
when: never
- if: "$SAST_EXCLUDED_ANALYZERS =~ /bandit/"
when: never
- if: "$CI_COMMIT_BRANCH"
exists:
- "**/*.py"
variables:
SEARCH_MAX_DEPTH: 4
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
script:
- "/analyzer run"
extends: ".sast-analyzer"
allow_failure: true
image:
name: "$SAST_ANALYZER_IMAGE"
brakeman-sast:
stage: test
artifacts:
reports:
sast:
- gl-sast-report.json
rules:
- if: "$SAST_DISABLED"
when: never
- if: "$SAST_EXCLUDED_ANALYZERS =~ /brakeman/"
when: never
- if: "$CI_COMMIT_BRANCH"
exists:
- "**/*.rb"
- "**/Gemfile"
variables:
SEARCH_MAX_DEPTH: 4
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
script:
- "/analyzer run"
extends: ".sast-analyzer"
allow_failure: true
image:
name: "$SAST_ANALYZER_IMAGE"
eslint-sast:
stage: test
artifacts:
reports:
sast:
- gl-sast-report.json
rules:
- if: "$SAST_DISABLED"
when: never
- if: "$SAST_EXCLUDED_ANALYZERS =~ /eslint/"
when: never
- if: "$CI_COMMIT_BRANCH"
exists:
- "**/*.html"
- "**/*.js"
- "**/*.jsx"
- "**/*.ts"
- "**/*.tsx"
variables:
SEARCH_MAX_DEPTH: 4
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
script:
- "/analyzer run"
extends: ".sast-analyzer"
allow_failure: true
image:
name: "$SAST_ANALYZER_IMAGE"
flawfinder-sast:
stage: test
artifacts:
reports:
sast:
- gl-sast-report.json
rules:
- if: "$SAST_DISABLED"
when: never
- if: "$SAST_EXCLUDED_ANALYZERS =~ /flawfinder/"
when: never
- if: "$CI_COMMIT_BRANCH"
exists:
- "**/*.c"
- "**/*.cpp"
variables:
SEARCH_MAX_DEPTH: 4
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
script:
- "/analyzer run"
extends: ".sast-analyzer"
allow_failure: true
image:
name: "$SAST_ANALYZER_IMAGE"
kubesec-sast:
stage: test
artifacts:
reports:
sast:
- gl-sast-report.json
rules:
- if: "$SAST_DISABLED"
when: never
- if: "$SAST_EXCLUDED_ANALYZERS =~ /kubesec/"
when: never
- if: "$CI_COMMIT_BRANCH && $SCAN_KUBERNETES_MANIFESTS == 'true'"
variables:
SEARCH_MAX_DEPTH: 4
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
script:
- "/analyzer run"
extends: ".sast-analyzer"
allow_failure: true
image:
name: "$SAST_ANALYZER_IMAGE"
gosec-sast:
stage: test
artifacts:
reports:
sast:
- gl-sast-report.json
rules:
- if: "$SAST_DISABLED"
when: never
- if: "$SAST_EXCLUDED_ANALYZERS =~ /gosec/"
when: never
- if: "$CI_COMMIT_BRANCH"
exists:
- "**/*.go"
variables:
SEARCH_MAX_DEPTH: 4
SAST_ANALYZER_IMAGE_TAG: 3
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
script:
- "/analyzer run"
extends: ".sast-analyzer"
allow_failure: true
image:
name: "$SAST_ANALYZER_IMAGE"
".mobsf-sast":
stage: test
artifacts:
reports:
sast: gl-sast-report.json
rules:
- when: never
variables:
SEARCH_MAX_DEPTH: 4
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG"
script:
- "/analyzer run"
extends: ".sast-analyzer"
allow_failure: true
image:
name: "$SAST_ANALYZER_IMAGE"
mobsf-android-sast:
stage: test
artifacts:
reports:
sast:
- gl-sast-report.json
rules:
- if: "$SAST_DISABLED"
when: never
- if: "$SAST_EXCLUDED_ANALYZERS =~ /mobsf/"
when: never
- if: "$CI_COMMIT_BRANCH && $SAST_EXPERIMENTAL_FEATURES == 'true'"
exists:
- "**/*.apk"
- "**/AndroidManifest.xml"
variables:
SEARCH_MAX_DEPTH: 4
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG"
script:
- "/analyzer run"
extends: ".mobsf-sast"
allow_failure: true
image:
name: "$SAST_ANALYZER_IMAGE"
mobsf-ios-sast:
stage: test
artifacts:
reports:
sast:
- gl-sast-report.json
rules:
- if: "$SAST_DISABLED"
when: never
- if: "$SAST_EXCLUDED_ANALYZERS =~ /mobsf/"
when: never
- if: "$CI_COMMIT_BRANCH && $SAST_EXPERIMENTAL_FEATURES == 'true'"
exists:
- "**/*.ipa"
- "**/*.xcodeproj/*"
variables:
SEARCH_MAX_DEPTH: 4
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG"
script:
- "/analyzer run"
extends: ".mobsf-sast"
allow_failure: true
image:
name: "$SAST_ANALYZER_IMAGE"
nodejs-scan-sast:
stage: test
artifacts:
reports:
sast:
- gl-sast-report.json
rules:
- if: "$SAST_DISABLED"
when: never
- if: "$SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/"
when: never
- if: "$CI_COMMIT_BRANCH"
exists:
- "**/package.json"
variables:
SEARCH_MAX_DEPTH: 4
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
script:
- "/analyzer run"
extends: ".sast-analyzer"
allow_failure: true
image:
name: "$SAST_ANALYZER_IMAGE"
phpcs-security-audit-sast:
stage: test
artifacts:
reports:
sast:
- gl-sast-report.json
rules:
- if: "$SAST_DISABLED"
when: never
- if: "$SAST_EXCLUDED_ANALYZERS =~ /phpcs-security-audit/"
when: never
- if: "$CI_COMMIT_BRANCH"
exists:
- "**/*.php"
variables:
SEARCH_MAX_DEPTH: 4
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
script:
- "/analyzer run"
extends: ".sast-analyzer"
allow_failure: true
image:
name: "$SAST_ANALYZER_IMAGE"
pmd-apex-sast:
stage: test
artifacts:
reports:
sast:
- gl-sast-report.json
rules:
- if: "$SAST_DISABLED"
when: never
- if: "$SAST_EXCLUDED_ANALYZERS =~ /pmd-apex/"
when: never
- if: "$CI_COMMIT_BRANCH"
exists:
- "**/*.cls"
variables:
SEARCH_MAX_DEPTH: 4
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
script:
- "/analyzer run"
extends: ".sast-analyzer"
allow_failure: true
image:
name: "$SAST_ANALYZER_IMAGE"
security-code-scan-sast:
stage: test
artifacts:
reports:
sast:
- gl-sast-report.json
rules:
- if: "$SAST_DISABLED"
when: never
- if: "$SAST_EXCLUDED_ANALYZERS =~ /security-code-scan/"
when: never
- if: "$CI_COMMIT_BRANCH"
exists:
- "**/*.csproj"
- "**/*.vbproj"
variables:
SEARCH_MAX_DEPTH: 4
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
script:
- "/analyzer run"
extends: ".sast-analyzer"
allow_failure: true
image:
name: "$SAST_ANALYZER_IMAGE"
semgrep-sast:
stage: test
artifacts:
reports:
sast:
- gl-sast-report.json
rules:
- if: "$SAST_DISABLED"
when: never
- if: "$SAST_EXCLUDED_ANALYZERS =~ /semgrep/"
when: never
- if: "$CI_COMMIT_BRANCH"
exists:
- "**/*.py"
- "**/*.js"
- "**/*.jsx"
- "**/*.ts"
- "**/*.tsx"
- "**/*.c"
variables:
SEARCH_MAX_DEPTH: 4
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG"
script:
- "/analyzer run"
extends: ".sast-analyzer"
allow_failure: true
image:
name: "$SAST_ANALYZER_IMAGE"
sobelow-sast:
stage: test
artifacts:
reports:
sast:
- gl-sast-report.json
rules:
- if: "$SAST_DISABLED"
when: never
- if: "$SAST_EXCLUDED_ANALYZERS =~ /sobelow/"
when: never
- if: "$CI_COMMIT_BRANCH"
exists:
- mix.exs
variables:
SEARCH_MAX_DEPTH: 4
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
script:
- "/analyzer run"
extends: ".sast-analyzer"
allow_failure: true
image:
name: "$SAST_ANALYZER_IMAGE"
spotbugs-sast:
stage: test
artifacts:
reports:
sast:
- gl-sast-report.json
rules:
- if: "$SAST_EXCLUDED_ANALYZERS =~ /spotbugs/"
when: never
- if: "$SAST_EXPERIMENTAL_FEATURES == 'true'"
exists:
- "**/AndroidManifest.xml"
when: never
- if: "$SAST_DISABLED"
when: never
- if: "$CI_COMMIT_BRANCH"
exists:
- "**/*.groovy"
- "**/*.java"
- "**/*.scala"
- "**/*.kt"
variables:
SEARCH_MAX_DEPTH: 4
SAST_ANALYZER_IMAGE_TAG: 2
SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
script:
- "/analyzer run"
extends: ".sast-analyzer"
allow_failure: true
image:
name: "$SAST_ANALYZER_IMAGE"
image: ubuntu:20.04
stages:
- ".pre"
- build
- test
- ".post"
compile:
stage: build
tags:
- docker
script:
- echo "Building"
So why is it that the SAST job is set to - when: never ? So it will never execute?