Unable to run SAST stage inside gitlab-ci, says "docker: command not found"

Question

Below is my .gitlab-ci.yml

image: docker:latest

services:
  - docker:dind

include:
  - template: Jobs/SAST.gitlab-ci.yml

stages:
  - build
  - test
  - deploy
  - upload

variables:
  CONTAINER_TEST_IMAGE: $CI_REGISTRY_IMAGE:test
  CONTAINER_RELEASE_IMAGE: $CI_REGISTRY_IMAGE:dev
  DOCKER_HOST: tcp://docker:2375
  DOCKER_TLS_CERTDIR: ""
  DOCKER_DRIVER: overlay2
  SAST_DISABLE_DIND: "true"

before_script:
  - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY

build:
  stage: build
  script:
    - docker build -t $CONTAINER_TEST_IMAGE .
    - docker push $CONTAINER_TEST_IMAGE
  tags:
    - xlp2

sast:
  stage: test
  tags:
    - xlp2 
  allow_failure: true
  artifacts:
    paths: [gl-sast-report.json]
    reports:
      sast: gl-sast-report.json

test:
  stage: test
  script:
    - docker pull $CONTAINER_TEST_IMAGE
    - docker run -d --name test_container $CONTAINER_TEST_IMAGE
    - sleep 60
    - if ! docker ps -q -f status=running -f name=test_container; then
        echo "Container is not running.";
        exit 1;
      fi
    - docker rm -f test_container
    - docker rmi $CONTAINER_TEST_IMAGE
  dependencies:
    - build
  tags:
    - xlp2

deploy:
  stage: deploy
  script:
    - docker pull $CONTAINER_TEST_IMAGE
    - docker tag $CONTAINER_TEST_IMAGE $CONTAINER_RELEASE_IMAGE
    - docker push $CONTAINER_RELEASE_IMAGE
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "devops"'
  dependencies:
    - build
  tags:
    - xlp2

send-reports:
  stage: upload
  tags: 
    - xlp2
  artifacts:
    reports:
      sast: gl-sast-report.json
  script: |
    cat gl-sast-report.json
    content=$(cat gl-sast-report.json)
    if [ "${content}" = "[]" ]
    then
      echo "🙂 all good! Your source code looks amazing"
    else
      echo "😡 ouch! There are some vulnerabilities"
    fi

When i push the changes to gitlab,

The error log from gitlab job Using docker image sha256:ba9ee6b6f770d81051bda6381f74246c730b618ea93eb54b215cbeb862aff0ee for registry.gitlab.com/security-products/semgrep:3 with digest registry.gitlab.com/security-products/semgrep@sha256:258ceebede48e14d7eb3759018537b4602950a93d146c1d7b9c240eebabf35e3 ... $ docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY /bin/sh: eval: line 142: docker: not found Uploading artifacts for failed job 00:00 Uploading artifacts... WARNING: gl-sast-report.json: no matching files. Ensure that the artifact path is relative to the working directory ERROR: No files to upload
Cleaning up project directory and file based variables 00:01 ERROR: Job failed: exit code 127

what i tried?

1. variables:
   SAST_DISABLE_DIND: "true"
2. include:
   • template: Jobs/SAST.gitlab-ci.yml
3. include:
   • template: Security/SAST.gitlab-ci.yml

Thanks to @sytech, the fix is working 100%

after successful run i see the below json report, where it says some vulnerabilities? But i don't understand what exactly the vulnerability is?

Answer 1

Your global default before_script seems to be accidentally interfering with the included sast job. This is because the sast job uses an image that does not have docker so, this causes an error in that job.

To avoid this, you can add inherit:default:false to the job that is failing. This will prevent it from inheriting the global default before_script:.

Alternatively, you can forego using the global default key (setting before_script: on each job that needs it) and that will also fix it.