Security scans improperly require a "successful" job in order to display the results
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
Security scans will not display a report unless a Pipeline job completes successfully.
Background
Microsoft made changes to their NuGet platform to automatically scan for package vulnerabilities when restoring packages. You can also manually control this scan with some command line flags.
We wrote a tool to take the output of Microsoft's scan and turn it into a GitLab Vulnerability report. Since the vulnerabilities are discovered very early in the build pipeline, we can halt the build early so that developer's time isn't wasted and provide our security team with the resources they need to maintain strict regulatory compliance.
However, there is a flaw in GitLab's UI that prevents reports from being displayed unless the job associated with the report was successful.
When I spoke with a tech support agent, he said it was because the system can't trust a report from a build that didn't complete.
But the report schema itself has a status on whether the report was generated successfully or not. So in an external tool successfully-generated a report and dropped it in the artifacts, then it should be displayed by the UI, regardless of the status of the job that created it.
We tried to work around GitLab's logic by passing the vulnerability count to the next job in the pipeline, and then failing THAT job if the number was != 0, but we couldn't get that to work, despite multiple attempts with ClaudeAI, GitLab Duo, and GitHib CoPilot.
Steps to reproduce
- Write a tool that generates a custom report using the GitLab Vulnerability Report Schema
- Have the tool return a non-zero exit code to simulate finding a vulnerability.
- Validate the output against the schema to make sure it's right.
- Put the following in a pipeline:
artifacts:
reports:
dependency_scanning: gl-dependency-scanning-report.json- Run the build process
- When the build fails, go to the Security tab. It will be empty.
- From what I understand, if you're not on the default branch, the report will also be empty.
Example Project
Duncan H. on your Support team has access to the project and more information.
What is the current bug behavior?
If a pipeline fails, the Security Tab does not display any of the vulnerabilities in the report, but DOES let you download the report.
Further, the pipeline says it displays the results of the last successful run.
What is the expected correct behavior?
I would expect to see the UI regardless of the job status. In fact, NOT seeing the report is an indicator that the report was created incorrectly, which led to several wasted hours trying to troubleshoot with zero indication of what the problem was.
Further, a specific pipeline run should ONLY display the results from THAT run from that branch.
Output of checks
This bug happens on GitLab.com