Improve SAST scanner compliance check to consider all pipelines of the latest commit

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

Currently, the compliance standards adherence dashboard checks for SAST scanner compliance by looking at the artifacts of the latest successful pipeline on the default branch. This approach may miss SAST artifacts if they are generated in pipelines that are not the latest one. We propose to enhance this feature to check all pipelines associated with the latest commit on the default branch.

Proposal

Update the SAST scanner compliance check to:

1. Identify the latest commit on the default branch
2. Retrieve all pipelines associated with this commit
3. Check for SAST artifacts across all these pipelines
4. Mark the project as compliant if SAST artifacts are found in any of these pipelines

Use case

An example case was described by a customer:

I have a MR for feature it runs the SAST and passes, the MR is approved. I merge feature into main and again it runs SAST and passes.

Then I initiated a deployment from main using the Gitlab Pipeline > New Pipeline UI. Here we have created a few options to pick from such as the region we want to deploy to.

The SAST rules have been disabled since its a waste of time/compute to run when we already passed the SAST in the MR and subsequent merge from feature branch to main AND this commit has VALID SAST artifacts. Due to how Gitlab determines what is compliant the pipeline runs from New Pipeline UI and is marked as non-compliant since the latest pipeline now just ran without SAST.

Note

This same improvement could be made for the DAST scanner adherence report.