#4 SAST & Artifacts

Step 01 - Preparing the Pipeline

1. First we need to get back to editing our pipeline from the last track. Make sure your still in your workshop-project space and use the left hand navigation menu to click through Build -> Pipeline Editor so we can edit our pipeline .yml file.

2. Under where we define the image: for our pipeline we will add the below code to include the SAST template:

   include:
     - template: Security/SAST.gitlab-ci.yml

3. To take a look at the template we just added look near the top of the edit page next to where you can select the branch (Switch branch, branch will show main right now), there will be a tree expand icon we want to click. From here we can see a link to all of the templates we currently have included in our pipeline.

Docs for writing your own templates

4. We then want to click the link for Jobs/SAST.gitlab-ci.yml that will open a new window where you can view the contents of the job we have included. Spend some time looking this over then close out the window to get back to our pipeline editor screen.

5. You can also click the Full configuration to see the complete yaml output of your .gitlab-ci.yml file plus all templates you have included.

6. Lets go ahead and click Commit Changes and use the left hand menu to click through Build -> Pipelines, then click the hyperlink from the most recently kicked off pipeline that starts with #. Now we will see some extra jobs in the testing stage that are brought in by the SAST template.

If you run into any issues you can use the left hand navigation menu to click through Build -> Pipelines, click Run pipeline, select basic-sast and click Run pipeline once again.

Step 02 - Using Inheritance to Enhance Our Pipeline

1. Now that our pipeline has ran lets build off of the SAST template using inheritance. Use the left hand menu to click through Build -> Pipeline editor so we can edit the config.

2. We first want to make a new stage called security to house all of the SAST jobs, so lets add that in the stages section:

   stages:
     - build
     - test
     - security

3. Now we will create a new sast job that will overwrite some of the functionality from the template we included. The below code sets up the new job and has it run as soon as the pipeline begins:

   # overwrite SAST job stage and start job as soon as pipeline begins
   sast:
     stage: security
     needs: []

4. Before commiting the code we are going to add the artifact keyword in the next step.

Relevant SAST docs

Step 03 - Storing with Artifacts

1. Let's say a requirement comes in that we want to store the results of the build_app job in an artifact. Let's add a change to the build_app job to do just that:

   build_app:
     stage: build
     before_script:
       - export NODE_OPTIONS=--openssl-legacy-provider
     script:
       - yarn install
       - yarn upgrade
       - yarn run build
       - yarn cache clean
     artifacts:
       paths:
         - dist
       expire_in: 1 hour

2. Now we will go ahead and click Commit Changes and use the left hand menu to click through Build -> Pipelines, then click the hyperlink from the most recently kicked off pipeline that starts with #. First we can see the changes that took place by using inheritance on the sast job & we will wait for the pipeline to complete before moving on to the next step. If you got lost at any point you can just merge in the extended-sast branch as well.

   Note that we have also added a new stage which continues to run even though our code_quality job is still failing

3. We are then going to grab the build artifact we specified in the pipeline. There are a few different ways to get them, but we are just going to use the left hand menu to click through Build -> Pipelines where in the most recent pipeline that kicked off you should see a Download artifacts icon. Click that icon then click build_app:archive.

4. Go ahead and inspect the artifact you just downloaded, this will be the results of the build_app artifact we added. You can also download and inspect the sast scan results.

Relevant artifact docs

Step 04 - Advanced Pipelines

1. Now that we have given you the building blocks for building great pipelines lets take a look at some advanced examples. We can see what the current pipelines on GitLab.com look like here

2. To get started we can also reference one of the many CICD templates that are constantly updated. Specifically the Auto DevOps template is a great starting point.