SAST IaC always shows as not enabled in UI
Summary
Projects with SAST IaC scanning enabled have it show as "not enabled" in the UI.
Steps to reproduce
-
Import https://github.com/futurice/terraform-examples to GitLab using Import Repo by URL
-
Add
.gitlab-ci.ymlcontaining the following:include: - template: Security/SAST.gitlab-ci.yml - template: Security/SAST-IaC.latest.gitlab-ci.yml - template: Security/Secret-Detection.gitlab-ci.yml -
Commit changes to default branch
-
Verify that
kics-iac-sastjob successfully executed on the project -
Go to Security & Compliance > Configuration
-
Verify that SAST and Secret Detection show enabled, but Infrastructure as Code scanning shows "Not enabled".
Example Project
https://gitlab.com/gitlab-org/security-products/tests/ansible/-/security/vulnerability_report
What is the current bug behavior?
- Project with Infrastructure as Code scanning enabled have IaC show as "Not enabled" in Security & Compliance > Configuration
- Banner on vulnerability report page says "Infrastructure as Code (IaC) Scanning [...] are not enabled for this project" even when it is enabled and working as expected
What is the expected correct behavior?
Projects that use IaC scanning have IaC show up as "Enabled" in the UI.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
This bug happens on GitLab.com
Results of GitLab application Check
This bug happens on GitLab.com
Possible fixes
Edited by Greg Myers