Help customers who's SAST scans produce no results
Problem to solve
The SAST team has had several support requests from customers who have run SAST on their project but the analyzer has not produced any results.
Causes for this include:
-
SEARCH_MAX_DEPTH
being set too low, the analyzer will not detect any files to scan and will not run - There are no vulnerabilities. This isn't common but customers should be able to dismiss this as a possible cause
- The project could not be scanned as the code is stored in a private maven repository. Discussed in https://docs.gitlab.com/ee/user/application_security/sast/
Proposed solution
Verify the analyzer is scanning the customer project
Allow the customer to check if the analyzer successfully scans their code by enabling a rule that always fails. By enabling this rule, the customer will see a vulnerability in their vulnerability report, even when there are no other detected vulnerabilities. This rule could be enabled when SECURE_LOG_LEVEL
is set too debug
.
Edited by Craig Smith