Unable to view SAST Scan Reports in Pipeline View
I am using an external (veracode) security scanner to generate a SAST report which I am uploading as an artifact to after a CI job. When I look under the security tab in in the pipeline it shows that a scan has been completed, but there are no vulnerabilities.
However when I look at the security dashboard, it shows the actual vulnerabilities (as there are indeed some). I was only able to get this to show in the dashboard by changing the default branch to the one I was running the pipeline on.
Here is the job I am using.
sast-pipeline-scan:
image: veracode/pipeline-scan
stage: test
dependencies:
- "Build Application"
variables:
SCAN_TIMEOUT: 60
VERACODE_POLICY: "Veracode Recommended High + SCA"
script:
- java -jar /opt/veracode/pipeline-scan.jar
--veracode_api_id "${VERACODE_API_ID}"
--veracode_api_key "${VERACODE_API_SECRET}"
--file "${APK}"
--project_name "${CI_PROJECT_PATH}"
--project_url "${CI_REPOSITORY_URL}"
--project_ref "${CI_COMMIT_REF_NAME}"
--timeout "${SCAN_TIMEOUT}"
--policy_name "${VERACODE_POLICY}"
--gl_vulnerability_generation true
tags:
- ec2
allow_failure: true
artifacts:
when: always
name: ${CI_PROJECT_NAME}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}_pipeline-results
paths:
- results.json
reports:
sast: veracode_gitlab_vulnerabilities.json
expire_in: 1 week
cache: {}
The artifact appears to upload (and it registers in the dashboard)
The json output appears to be in the correct format (assume this also as it can be seen in the dashboard) but I cannot seem to see a reason why, within the job it reports having zero vulnerabilities.
Any help would be greatly appreciated!
Currently running 13.10.2-ee (cc4224220e6) and we have a trial Ultimate license.