Uploading artifacts... WARNING: gl-sast-report.json: no matching files ERROR: No files to upload

,

I tried adding the sast scanner to my app today using the automated merge request functionality. It passes with the warning above. I’ve tried adding the entries below to the sast block the merge request created, per some random forum posts, but it still fails. Any advice?

sast:
  stage: test
  artifacts:
    paths:
    - 'gl-sast-report.json'
  variables:
    CI_DEBUG_TRACE: "true"
include:
- template: Security/SAST.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml

1 Like

Hi @synaptrix!

You need to put those includes outside of the SAST job I believe. The chunk of code on this docs page may help show that better than I can explain it.

Hope this helps!

-James H, GitLab Product Manager, Verify:Pipeline Execution

Thanks James -

I moved the includes to the top of the file and added another node I saw in the docs you mentioned and it’s still failing with the same error. See below:

sast:
  stage: test
  artifacts:
    reports:
      sast: gl-sast-report.json
    paths:
    - 'gl-sast-report.json'

1 Like

@synaptrix - Is the file being created in the SAST job?

-James H, GitLab Product Manager, Verify:Pipeline Execution

I don’t know, but it doesn’t look like it. The image below is output when the debug variable is included.
I configured this originally from this page: 11.04.2021-13.32.50 and assumed it would just work.

There seems to be a bug in the SAST yaml templates, the artifacts section needs to look like this:

 artifacts:
   name: sast
   paths:
     - gl-sast-report.json
   reports:
     sast: gl-sast-report.json
   when: always

Found in Reports not available as Artifacts: SAST, DAST, Dependency-Scanning (#345696) · Issues · GitLab.org / GitLab · GitLab

I am trying to get past the gl-sast-report.json error. Can anyone give advice on my setup?

sast:
  tags:
    - docker
  stage: test
  artifacts:
    name: sast
    paths:
      - 'gl-sast-report.json'
    reports:
      sast: gl-sast-report.json
    when: always