I tried adding the sast scanner to my app today using the automated merge request functionality. It passes with the warning above. I’ve tried adding the entries below to the sast block the merge request created, per some random forum posts, but it still fails. Any advice?
sast:
stage: test
artifacts:
paths:
- 'gl-sast-report.json'
variables:
CI_DEBUG_TRACE: "true"
include:
- template: Security/SAST.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
Hi @synaptrix!
You need to put those includes outside of the SAST job I believe. The chunk of code on this docs page may help show that better than I can explain it.
Hope this helps!
-James H, GitLab Product Manager, Verify:Pipeline Execution
Thanks James -
I moved the includes to the top of the file and added another node I saw in the docs you mentioned and it’s still failing with the same error. See below:
sast:
stage: test
artifacts:
reports:
sast: gl-sast-report.json
paths:
- 'gl-sast-report.json'
@synaptrix - Is the file being created in the SAST job?
-James H, GitLab Product Manager, Verify:Pipeline Execution
I don’t know, but it doesn’t look like it. The image below is output when the debug variable is included.
I configured this originally from this page: 11.04.2021-13.32.50 and assumed it would just work.
There seems to be a bug in the SAST yaml templates, the artifacts section needs to look like this:
artifacts:
name: sast
paths:
- gl-sast-report.json
reports:
sast: gl-sast-report.json
when: always
I am trying to get past the gl-sast-report.json error. Can anyone give advice on my setup?
sast:
tags:
- docker
stage: test
artifacts:
name: sast
paths:
- 'gl-sast-report.json'
reports:
sast: gl-sast-report.json
when: always