WIP: Document workaround for downloading Security Scanner Artifact
It appears we have some odd behavior in our Jobs API related to downloading a security scanner job artifact
Reports are listed when using the GET
job endpoint https://docs.gitlab.com/ee/api/jobs.html#get-a-single-job but cannot be download using the "download artifact" endpoint https://docs.gitlab.com/ee/api/jobs.html#download-the-artifacts-archive
in fact, they're not even listed when using the GET job artifacts endpoint https://docs.gitlab.com/ee/api/jobs.html#get-job-artifacts
There is a workaround for this, you'll need declare reports as normal artifacts in order to be downloaded.
sast:
artifacts:
reports:
sast: gl-sast-report.json
paths:
- gl-sast-report.json
you need artifacts.reports.sast
so that the report is processed by the backend, and vulnerabilities show up in the UI
you need artifacts.paths
so that the artifact can be downloaded; that's not the case by default
We also have the following issue open to allow reports to be exposed via the UI as downloadable artifacts which is currently slated for %13.0 which is currently scheduled to ship on May 22nd.