SAST-Jobs timeout or reports non-existing errors when using cache globally

When using Gitlabs cache globally, it is also used for Static Application Security Testing (SAST). We use the cache to speedup the download-process of 3rd-party modules, but as the cache-directory must be in the project-directory SAST-scanners are also scanning it. In our case we do get timeouts (after 1 hour) at nodejs-scan-sast and errors of semgrep-sast because it finds errors in 3rd-party-modules.

As the cache is never needed for SAST I suggest to disable the cache within Jobs/SAST.gitlab-ci.yml. This will also improve performance as it is no longer needed to restore the cache before the run and saving it after the run!

Workaround

Add the following config in .gitlab-ci.yml which will overwrite the default-configuration with a disabled cache:

.sast-analyzer:
  extends: sast
  allow_failure: true
  cache: []
  script:
    - /analyzer run

Implementation plan

Before %18.0

Set sast job in SAST.latest.gitlab-ci.yml with cache: [] !174987 (merged)
Set iac-sast job in SAST-IaC.latest.gitlab-ci.yml with cache: [] !174987 (merged)

Please see: https://docs.gitlab.com/ee/development/cicd/templates.html#latest-version

During %18.0

Make sure the changes made to the .latest templates propagate to:

SAST.gitlab-ci.yml
SAST-IaC.gitlab-ci.yml

Apply additional manual changes:

Set .sast job template in CI component template with cache: []

Upgrade path for users scanning cache directories

If you are currently relying on SAST scanning your cache directories, you can override the new default cache: [] setting by extending the SAST jobs in your .gitlab-ci.yml:

sast: # or the specific analyzer job you want to enable caching for
  cache:
    paths:
      - your/cache/path

However, we recommend scanning code in your source location rather than in cache directories for more reliable and predictable results.

Edited Jan 06, 2025 by Thiago Figueiró