IaC SAST job is hard to use because of its base job
Summary
Problem
It's not possible to re-use the SAST IaC scanner if the user does not have a stage named test
Context
The IaC scanner consists of 2 templates and 2 jobs:
- Security/SAST-IaC.latest.gitlab-ci.yml
- it does nothing, just includes the other template (why does it exist?)
- Jobs/SAST-IaC.latest.gitlab-ci.yml
-
iac-sast- the base job -
kics-iac-sast- a higher level job that extends the base job
-
The stage: test is defined on the base job. As it is a real job, the CI validation will always fail.
Steps to reproduce
- Start a new project
- Set up CI as in https://gitlab.com/nagyv-gitlab/sast-iac-customization
Example Project
https://gitlab.com/nagyv-gitlab/sast-iac-customization
What is the current bug behavior?
CI validation fails because of the base job
What is the expected correct behavior?
CI validation should pass
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)