Security-code-scan result in SAST and standalone job

I try to use SAST, and this code in .getlab-ci.yam and it finds 1 security issue.

include:
#- template: Security/SAST.gitlab-ci.yml

And then I try to run security-code-scan in a separated job, it still runs, but it catches lots of issue.
Most of them are SQL injection. Is it normal? Or I need to change any SAST’s configuration to enable more security check?

security-code-scan:
    stage: security-code-scan
    tags:
        - docker
    image: mcr.microsoft.com/dotnet/sdk:5.0
    script:
        - dotnet restore
        - dotnet tool install --global security-scan
        - $HOME/.dotnet/tools/security-scan example.sln --excl-proj=**/*Test*/** --export=out.sarif
    artifacts:
        paths:
            - ./report
1 Like

I apologize as I’m not super familiar with SAST scanning in .net using GitLab CI but assuming that these are different SAST scans being run this is a very common problem is SAST. Different tools will frequently come back with various different findings. While normally more findings seems like a more robust scan there is often a very high false positive rate. This is just the nature of the beast unfortunately. My recommendation would be the more scans the better to ensure visibility but this is going to add additional work on the backend of the process to ensure that all these findings are being reviewed and properly handled. There is added complexity with multiple scans as well because if more than 1 scan identifies the same problem, it will need to be validated twice, but GitLab ultimate may assist with the consolidation of these findings. Hope this helps.