SAST job never gets executed (free tier)

,

SAST job never gets executed (free tier)

I am trying to get SAST up and running, but the test stage of SAST never gets created or executed. My .gitlab-ci.yml is pretty basic:

image: ubuntu:20.04

stages:
  - build
  - test

compile:
  stage: build
  tags:
    - docker
  script:
    - echo "Building"

sast:
  stage: test
  script: echo "Running SAST"

include:
  - template: Security/SAST.gitlab-ci.yml

When now a pipeline gets created and executes the only stage that will run is the build stage. The test stage won’t even show up.

Interestingly if I look at the ci editor and view the merged yaml it reads:

---
variables:
  SECURE_ANALYZERS_PREFIX: registry.gitlab.com/gitlab-org/security-products/analyzers
  SAST_EXCLUDED_ANALYZERS: ''
  SAST_EXCLUDED_PATHS: spec, test, tests, tmp
  SCAN_KUBERNETES_MANIFESTS: 'false'
sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - when: never
  variables:
    SEARCH_MAX_DEPTH: 4
  script: echo "Running SAST"
".sast-analyzer":
  stage: test
  artifacts:
    reports:
      sast: gl-sast-report.json
  rules:
  - when: never
  variables:
    SEARCH_MAX_DEPTH: 4
  script:
  - "/analyzer run"
  extends: sast
  allow_failure: true
bandit-sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - if: "$SAST_DISABLED"
    when: never
  - if: "$SAST_EXCLUDED_ANALYZERS =~ /bandit/"
    when: never
  - if: "$CI_COMMIT_BRANCH"
    exists:
    - "**/*.py"
  variables:
    SEARCH_MAX_DEPTH: 4
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/bandit:$SAST_ANALYZER_IMAGE_TAG"
  script:
  - "/analyzer run"
  extends: ".sast-analyzer"
  allow_failure: true
  image:
    name: "$SAST_ANALYZER_IMAGE"
brakeman-sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - if: "$SAST_DISABLED"
    when: never
  - if: "$SAST_EXCLUDED_ANALYZERS =~ /brakeman/"
    when: never
  - if: "$CI_COMMIT_BRANCH"
    exists:
    - "**/*.rb"
    - "**/Gemfile"
  variables:
    SEARCH_MAX_DEPTH: 4
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
  script:
  - "/analyzer run"
  extends: ".sast-analyzer"
  allow_failure: true
  image:
    name: "$SAST_ANALYZER_IMAGE"
eslint-sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - if: "$SAST_DISABLED"
    when: never
  - if: "$SAST_EXCLUDED_ANALYZERS =~ /eslint/"
    when: never
  - if: "$CI_COMMIT_BRANCH"
    exists:
    - "**/*.html"
    - "**/*.js"
    - "**/*.jsx"
    - "**/*.ts"
    - "**/*.tsx"
  variables:
    SEARCH_MAX_DEPTH: 4
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
  script:
  - "/analyzer run"
  extends: ".sast-analyzer"
  allow_failure: true
  image:
    name: "$SAST_ANALYZER_IMAGE"
flawfinder-sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - if: "$SAST_DISABLED"
    when: never
  - if: "$SAST_EXCLUDED_ANALYZERS =~ /flawfinder/"
    when: never
  - if: "$CI_COMMIT_BRANCH"
    exists:
    - "**/*.c"
    - "**/*.cpp"
  variables:
    SEARCH_MAX_DEPTH: 4
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/flawfinder:$SAST_ANALYZER_IMAGE_TAG"
  script:
  - "/analyzer run"
  extends: ".sast-analyzer"
  allow_failure: true
  image:
    name: "$SAST_ANALYZER_IMAGE"
kubesec-sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - if: "$SAST_DISABLED"
    when: never
  - if: "$SAST_EXCLUDED_ANALYZERS =~ /kubesec/"
    when: never
  - if: "$CI_COMMIT_BRANCH && $SCAN_KUBERNETES_MANIFESTS == 'true'"
  variables:
    SEARCH_MAX_DEPTH: 4
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/kubesec:$SAST_ANALYZER_IMAGE_TAG"
  script:
  - "/analyzer run"
  extends: ".sast-analyzer"
  allow_failure: true
  image:
    name: "$SAST_ANALYZER_IMAGE"
gosec-sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - if: "$SAST_DISABLED"
    when: never
  - if: "$SAST_EXCLUDED_ANALYZERS =~ /gosec/"
    when: never
  - if: "$CI_COMMIT_BRANCH"
    exists:
    - "**/*.go"
  variables:
    SEARCH_MAX_DEPTH: 4
    SAST_ANALYZER_IMAGE_TAG: 3
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/gosec:$SAST_ANALYZER_IMAGE_TAG"
  script:
  - "/analyzer run"
  extends: ".sast-analyzer"
  allow_failure: true
  image:
    name: "$SAST_ANALYZER_IMAGE"
".mobsf-sast":
  stage: test
  artifacts:
    reports:
      sast: gl-sast-report.json
  rules:
  - when: never
  variables:
    SEARCH_MAX_DEPTH: 4
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG"
  script:
  - "/analyzer run"
  extends: ".sast-analyzer"
  allow_failure: true
  image:
    name: "$SAST_ANALYZER_IMAGE"
mobsf-android-sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - if: "$SAST_DISABLED"
    when: never
  - if: "$SAST_EXCLUDED_ANALYZERS =~ /mobsf/"
    when: never
  - if: "$CI_COMMIT_BRANCH && $SAST_EXPERIMENTAL_FEATURES == 'true'"
    exists:
    - "**/*.apk"
    - "**/AndroidManifest.xml"
  variables:
    SEARCH_MAX_DEPTH: 4
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG"
  script:
  - "/analyzer run"
  extends: ".mobsf-sast"
  allow_failure: true
  image:
    name: "$SAST_ANALYZER_IMAGE"
mobsf-ios-sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - if: "$SAST_DISABLED"
    when: never
  - if: "$SAST_EXCLUDED_ANALYZERS =~ /mobsf/"
    when: never
  - if: "$CI_COMMIT_BRANCH && $SAST_EXPERIMENTAL_FEATURES == 'true'"
    exists:
    - "**/*.ipa"
    - "**/*.xcodeproj/*"
  variables:
    SEARCH_MAX_DEPTH: 4
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG"
  script:
  - "/analyzer run"
  extends: ".mobsf-sast"
  allow_failure: true
  image:
    name: "$SAST_ANALYZER_IMAGE"
nodejs-scan-sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - if: "$SAST_DISABLED"
    when: never
  - if: "$SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/"
    when: never
  - if: "$CI_COMMIT_BRANCH"
    exists:
    - "**/package.json"
  variables:
    SEARCH_MAX_DEPTH: 4
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
  script:
  - "/analyzer run"
  extends: ".sast-analyzer"
  allow_failure: true
  image:
    name: "$SAST_ANALYZER_IMAGE"
phpcs-security-audit-sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - if: "$SAST_DISABLED"
    when: never
  - if: "$SAST_EXCLUDED_ANALYZERS =~ /phpcs-security-audit/"
    when: never
  - if: "$CI_COMMIT_BRANCH"
    exists:
    - "**/*.php"
  variables:
    SEARCH_MAX_DEPTH: 4
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/phpcs-security-audit:$SAST_ANALYZER_IMAGE_TAG"
  script:
  - "/analyzer run"
  extends: ".sast-analyzer"
  allow_failure: true
  image:
    name: "$SAST_ANALYZER_IMAGE"
pmd-apex-sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - if: "$SAST_DISABLED"
    when: never
  - if: "$SAST_EXCLUDED_ANALYZERS =~ /pmd-apex/"
    when: never
  - if: "$CI_COMMIT_BRANCH"
    exists:
    - "**/*.cls"
  variables:
    SEARCH_MAX_DEPTH: 4
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/pmd-apex:$SAST_ANALYZER_IMAGE_TAG"
  script:
  - "/analyzer run"
  extends: ".sast-analyzer"
  allow_failure: true
  image:
    name: "$SAST_ANALYZER_IMAGE"
security-code-scan-sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - if: "$SAST_DISABLED"
    when: never
  - if: "$SAST_EXCLUDED_ANALYZERS =~ /security-code-scan/"
    when: never
  - if: "$CI_COMMIT_BRANCH"
    exists:
    - "**/*.csproj"
    - "**/*.vbproj"
  variables:
    SEARCH_MAX_DEPTH: 4
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG"
  script:
  - "/analyzer run"
  extends: ".sast-analyzer"
  allow_failure: true
  image:
    name: "$SAST_ANALYZER_IMAGE"
semgrep-sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - if: "$SAST_DISABLED"
    when: never
  - if: "$SAST_EXCLUDED_ANALYZERS =~ /semgrep/"
    when: never
  - if: "$CI_COMMIT_BRANCH"
    exists:
    - "**/*.py"
    - "**/*.js"
    - "**/*.jsx"
    - "**/*.ts"
    - "**/*.tsx"
    - "**/*.c"
  variables:
    SEARCH_MAX_DEPTH: 4
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG"
  script:
  - "/analyzer run"
  extends: ".sast-analyzer"
  allow_failure: true
  image:
    name: "$SAST_ANALYZER_IMAGE"
sobelow-sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - if: "$SAST_DISABLED"
    when: never
  - if: "$SAST_EXCLUDED_ANALYZERS =~ /sobelow/"
    when: never
  - if: "$CI_COMMIT_BRANCH"
    exists:
    - mix.exs
  variables:
    SEARCH_MAX_DEPTH: 4
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/sobelow:$SAST_ANALYZER_IMAGE_TAG"
  script:
  - "/analyzer run"
  extends: ".sast-analyzer"
  allow_failure: true
  image:
    name: "$SAST_ANALYZER_IMAGE"
spotbugs-sast:
  stage: test
  artifacts:
    reports:
      sast:
      - gl-sast-report.json
  rules:
  - if: "$SAST_EXCLUDED_ANALYZERS =~ /spotbugs/"
    when: never
  - if: "$SAST_EXPERIMENTAL_FEATURES == 'true'"
    exists:
    - "**/AndroidManifest.xml"
    when: never
  - if: "$SAST_DISABLED"
    when: never
  - if: "$CI_COMMIT_BRANCH"
    exists:
    - "**/*.groovy"
    - "**/*.java"
    - "**/*.scala"
    - "**/*.kt"
  variables:
    SEARCH_MAX_DEPTH: 4
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/spotbugs:$SAST_ANALYZER_IMAGE_TAG"
  script:
  - "/analyzer run"
  extends: ".sast-analyzer"
  allow_failure: true
  image:
    name: "$SAST_ANALYZER_IMAGE"
image: ubuntu:20.04
stages:
- ".pre"
- build
- test
- ".post"
compile:
  stage: build
  tags:
  - docker
  script:
  - echo "Building"

So why is it that the SAST job is set to - when: never ? So it will never execute?