[SOLVED]Override "before_script" and "tags" using include template (SAST / Secret Detection)

unclej84 · April 29, 2021, 9:55pm

Hello,

I am trying to include the default gitlab templates for SAST and secret detection into my .gitlab-ci.yml using include template as stated in the documentation (like here). Unfortunately my pipeline definition already contains a before_script section under default which logs into docker registry. Is there any possibility to tell the include to use an empty before_script or to add some tags (in order to assgin shared runners using tags)?

Any feedback or ideas are welcome.

Best regards Jörg

balonik · April 30, 2021, 1:46pm

Hi,
you can override job definitions from template.

include:
  - template: Security/SAST.gitlab-ci.yml

# override eslint-sast job from SAST template
eslint-sast:
  tags:
    - my_tag_123
  before_script:
    - echo "before script"

if you need to see how are the jobs defined, templates are available here lib/gitlab/ci/templates · master · GitLab.org / GitLab · GitLab

unclej84 · April 30, 2021, 2:26pm

Thanks for the reply - could even add .secret-analyzer and sast have it configured for all possible analyzers at once.

balonik · April 30, 2021, 2:29pm

Yes you can, my code was just an example. Don’t forget to check from time to time for any changes to the SAST template that may require some changes in your overrides.

Juke · April 6, 2023, 3:56am

Hello colleagues, may be useful.
If you want cahge properties globally, you can do the following.

include:
  template: Security/SAST.gitlab-ci.yml
  rules:
    - if: '$CI_COMMIT_BRANCH != "prod" && $CI_COMMIT_BRANCH !="test"'

Note: rules is optional, depend on your needs.
The second job for configuration tags globally for all jobs in template:

sast:
  rules:
    - if: $CI_COMMIT_BRANCH
      when: never

  after_script:
    - cp *.json $CI_JOB_NAME.json
  artifacts:

    paths:
      - ./*.json
      - $CI_JOB_NAME.json
    expire_in: 5 days
  tags: [docker-runner]

This job was created because it was unable to assign tag in template configuration, in ‘include’ section.
So, I created another job, which stores the sast jobs config.
In my case, it was required to perform this tests in all branches, except test and prod. So when I added rules in include section(to prevent running sast job on specific branched), error appeared: ‘Sast job need script or trigger keywoard’. So I added script keywoard, but made this job hidded for all branches.
The only functional of my ‘sast’ job - create configuration for checks, described in ‘Security/SAST.gitlab-ci.yml’