Request to enable "Static Application Security Testing (SAST)" causes 500 API error

Summary

500-1

"Configure via Merge Request" button causes 500 error on /api/graphql request.

The request payload (group/project is masked):

[{"operationName":"configureSast","variables":{"input":{"projectPath":"group/project","configuration":{"global":[],"pipeline":[],"analyzers":[]}}},"query":"mutation configureSast($input: ConfigureSastInput!) {\n  configureSast(input: $input) {\n    successPath\n    errors\n    __typename\n  }\n}\n"}]

Steps to reproduce

Open the page "Security & Compliance" -> "Configuration"
Push the "Configure via Merge Request" button.

Also: See below for an example with Secret Detection & example project

What is the current bug behavior?

500 error. No new Merge Request.

What is the expected correct behavior?

New Merge Request with CI configuration.

Workarounds

  • Configure SAST manually with the syntax:

    include:
  - template: Security/SAST.gitlab-ci.yml

  • Temporarily remove all <<: *… configurations from the .gitlab-ci.yml file, see context below

Relevant logs and/or screenshots

==> ./production.log <==

Psych::BadAlias (Unknown alias: deploy_job_definition):
  app/services/security/ci_configuration/sast_create_service.rb:48:in `existing_gitlab_ci_content'
  app/services/security/ci_configuration/sast_create_service.rb:33:in `attributes'
  app/services/security/ci_configuration/sast_create_service.rb:14:in `execute'
  app/graphql/mutations/security/ci_configuration/configure_sast.rb:30:in `resolve'
  lib/gitlab/graphql/present/field_extension.rb:17:in `resolve'
  lib/gitlab/graphql/generic_tracing.rb:40:in `with_labkit_tracing'
  lib/gitlab/graphql/generic_tracing.rb:30:in `platform_trace'
  lib/gitlab/graphql/generic_tracing.rb:40:in `with_labkit_tracing'
  lib/gitlab/graphql/generic_tracing.rb:30:in `platform_trace'
  lib/gitlab/graphql/generic_tracing.rb:40:in `with_labkit_tracing'
  lib/gitlab/graphql/generic_tracing.rb:30:in `platform_trace'
  app/graphql/gitlab_schema.rb:41:in `multiplex'
  app/controllers/graphql_controller.rb:85:in `execute_multiplex'
  app/controllers/graphql_controller.rb:36:in `execute'
  app/controllers/application_controller.rb:486:in `set_current_admin'
  lib/gitlab/session.rb:11:in `with_session'
  app/controllers/application_controller.rb:477:in `set_session_storage'
  lib/gitlab/i18n.rb:73:in `with_locale'
  lib/gitlab/i18n.rb:79:in `with_user_locale'
  app/controllers/application_controller.rb:471:in `set_locale'
  app/controllers/application_controller.rb:464:in `block in set_current_context'
  lib/gitlab/application_context.rb:63:in `block in use'
  lib/gitlab/application_context.rb:63:in `use'
  lib/gitlab/application_context.rb:24:in `with_context'
  app/controllers/application_controller.rb:455:in `set_current_context'
  lib/gitlab/request_profiler/middleware.rb:17:in `call'
  lib/gitlab/jira/middleware.rb:19:in `call'
  lib/gitlab/middleware/go.rb:20:in `call'
  lib/gitlab/etag_caching/middleware.rb:21:in `call'
  lib/gitlab/middleware/multipart.rb:172:in `call'
  lib/gitlab/middleware/read_only/controller.rb:50:in `call'
  lib/gitlab/middleware/read_only.rb:18:in `call'
  lib/gitlab/middleware/same_site_cookies.rb:27:in `call'
  lib/gitlab/middleware/handle_malformed_strings.rb:21:in `call'
  lib/gitlab/middleware/basic_health_check.rb:25:in `call'
  lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'
  lib/gitlab/middleware/request_context.rb:21:in `call'
  config/initializers/fix_local_cache_middleware.rb:11:in `call'
  lib/gitlab/metrics/requests_rack_middleware.rb:76:in `call'
  lib/gitlab/middleware/release_env.rb:12:in `call'

Completed 500 Internal Server Error in 36ms (Views: 0.1ms | ActiveRecord: 1.6ms | Elasticsearch: 0.0ms | Allocations: 12449)

Results of GitLab environment info

Free Omnibus installation, but also in GitLab.com example project

Expand for output related to GitLab environment info 

System information
System:		
Current User:	git
Using RVM:	no
Ruby Version:	2.7.2p137
Gem Version:	3.1.4
Bundler Version:2.1.4
Rake Version:	13.0.3
Redis Version:	6.0.10
Git Version:	2.29.0
Sidekiq Version:5.2.9
Go Version:	unknown

GitLab information
Version:	13.10.0
Revision:	5eafdaf7b07
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	PostgreSQL
DB Version:	12.5
URL:		https://gitlab.gbksoft.net
HTTP Clone URL:	https://gitlab.gbksoft.net/some-group/some-project.git
SSH Clone URL:	git@gitlab.gbksoft.net:some-group/some-project.git
Using LDAP:	no
Using Omniauth:	yes
Omniauth Providers: 

GitLab Shell
Version:	13.17.0
Repository storage paths:
- default: 	/var/opt/gitlab/git-data/repositories
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell
Git:		/opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab subtasks ...


Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 13.17.0 ? ... OK (13.17.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Reply by email is disabled in config/gitlab.yml


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab App ...


Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
ALL ... yes
Redis version >= 4.0.0? ... yes
Ruby version >= 2.7.2 ? ... yes (2.7.2)
Git version >= 2.29.0 ? ... yes (2.29.0)
Git user has default SSH configuration? ... yes
Active users: ... 106
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished
Edited by Katrin Leinweber