SAST : Rules : Condition Check is not working

GitLab CI/CD
1

Hi Team,
I am using GitLab SAST. Rule condition check is not working. Currently GitLab SAST is running for all branches even I added condition check.
Sample Code:

include:
  - template: Security/SAST.gitlab-ci.yml
sast:
  stage: app security scan
  when: manual
  image: gitlab/gitlab-runner:latest
  tags:
    - edms-docker-sast
  script:
    - echo "Running SAST for branch $CI_COMMIT_BRANCH"
  allow_failure: true
  rules:
    - if: '$CI_COMMIT_BRANCH =="main"'
      when: always
    - when: never

I tried both $CI_COMMIT_BRANCH and $CI_COMMIT_REF_NAME in the rules condition check but it is not working properly. Git Lab SAST feature is running for all branches even i added condition check. My requirement is that it should run only specified branches.

one more issue “allow_failure: true/false”. both values are not impacting my pipeline flow. Even though my project scan is generated the gl-sast-report.json file. My another requirement is that if gl-sast-report.json file have vulnerability code is found. Block current pipeline stages and should not process other stages

Git Lab : SAST : Version Details
gitlab-runner 17.5.3 (12030cf4)
GitLab Semgrep analyzer v5.25.0

2

Hi,

I was having the same issue and found a work around. I realized SAST is just calling different jobs and the one that was working in the pipeline was semgrep-sast for me. So i added the same rule you did for it and it works perfectly.

sast:
  stage: app security scan
  
semgrep-sast:
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
      exists:
         - '**/*.go'
         - '**/*.cs'
         - '**/*.py'
         - '**/*.php'
         - '**/*.html'
         - '**/*.js'
         - '**/*.jsx'
         - '**/*.ts'
         - '**/*.tsx'