Is there a way to fail the secret detection or SAST jobs if a vulnerability is found?
You can add an additional job, where you read the reports and use a conbination of jq
and grep
to fail the pipeline.
sast-job:
...
artifacts:
paths:
- gl-sast-report.json
reports:
sast: gl-sast-report.json
fail-on-detection:
needs:
- sast-job
script:
- jq '.vulnerabilities[] | .severity' gl-sast-report.json | grep 'Critical' && exit 1;