Reputation: 51
Gitlab CI SAST using artifacts of gl-sast-report.json report in following stage , with 2 different scanners used
I would like to use the artifacts generated from the SAST stage in a subsequent stage of my CI . My project has 2 different file types , .py and .js
stages:
- test
- upload
include:
- template: Security/SAST.gitlab-ci.yml
sast:
stage: test
allow_failure: true
artifacts:
paths: [gl-sast-report.json]
reports:
sast: gl-sast-report.json
bandit-sast:
artifacts:
paths: [gl-sast-report.json]
reports:
sast: gl-sast-report.json
eslint-sast:
artifacts:
paths: [gl-sast-report.json]
reports:
sast: gl-sast-report.json
send-reports:
stage: upload
rules:
- if: $CI_COMMIT_BRANCH == "master"
- if: $CI_MERGE_REQUEST_IID
artifacts:
paths: [gl-sast-report.json]
reports:
sast: gl-sast-report.json
script: |
ls
cat gl-sast-report.json
A report is generated for both the bandit and eslint stage , but for the send report stage only the eslint report is showing up. Any idea on how to use get both reports in the next stage ? This is the from the gitlab runner, it shows only the eslint report. When i remove the js files , the bandit report is the one that is shown.
Downloading artifacts
00:01
Downloading artifacts for bandit-sast (833806353)...
Downloading artifacts from coordinator... ok id=833806353 responseStatus=200 OK token=m4wuayAs
Downloading artifacts for eslint-sast (833806354)...
Downloading artifacts from coordinator... ok id=833806354 responseStatus=200 OK token=skGyM8bW
I have tried changing the names for the bandit sast paths and reports to bandit-report.json , but that causes the job to fail on the uploading artifacts step , with no matching files found.
Uploading artifacts for successful job
00:01
Uploading artifacts...
WARNING: bandit-report.json: no matching files
ERROR: No files to upload
Upvotes: 3
Views: 2027
Answers (1)
Reputation: 4043
If you are using the templates from GitLab, the jobs all run in parallel and use the same artifact name. I have found that if you do this, the artifacts are "lost" for some unknown to me reason. If you instead, append(override) the GitLab template jobs with your own, and control the artifact passing, it will provide the gl-sast-report.json file to your next stage.
for example add this in YOUR gitlab CI file:
brakeman-sast:
artifacts:
paths:
- gl-sast-report.json
when: always
that will merge with the one from the include (e.g. - template: Jobs/SAST.gitlab-ci.yml ) and then override the array for paths:
Try just the above and see if you get the gl-sast-report.json from the brakeman job. Then,(I still have yet to do this) create jobs overrides for the other -sast jobs and use a unique file name or a post-script to rename the file to avoid artifact collison.
Upvotes: 0
Related Questions
- Remove artifacts from CI manually
- Gitlab artifacts and untracked
- Artifacts for failed builds in Gitlab
- Gitlab CI SAST access to gl-sast-report.json artifact in subsequent stage
- Gitlab CI execute SAST jobs only when merging branch to master
- Gitlab SAST failed with no visible reason
- Changing Gitlab SAST json report names
- Error "sast job: chosen stage does not exist; available stages are" for gitlab Static Application Security Testing
- Gitlab CI job missing artifacts from previous job
- Enabling SAST in Gitlab CI/CD