Set cache: [] in SAST latest CI templates

Philip Cunninghamrequested to merge
philipcunningham-set-cache-to-empty-in-the-sast-latest-ci-templates-440829 into master

What does this MR do and why?

When using global cache in GitLab CI, SAST scanners may scan cached dependencies which can lead to timeouts or false positives. This change explicitly disables cache in the latest templates to prevent these issues and improve performance by avoiding unnecessary cache operations.

This change only affects the latest templates and will be introduced to stable templates in %18.0 as it is a breaking change. The rationale behind this change is outlined here.

References

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Manual QA

Test by including the main templates and manually setting cache: [].

SAST

Running with gitlab-runner 17.4.0~pre.110.g27400594 (27400594)
  on blue-6.saas-linux-small-amd64.runners-manager.gitlab.com/default nN8vMRS9Z, system ID: s_a899fcd611a3
Resolving secrets
Preparing the "docker+machine" executor 00:09
Using Docker executor with image registry.gitlab.com/security-products/semgrep:5 ...
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image registry.gitlab.com/security-products/semgrep:5 ...
Using docker image sha256:238b20b53a20007af716a07e13563fee8c7cffd11a2b3da859f888e3ea3c6999 for registry.gitlab.com/security-products/semgrep:5 with digest registry.gitlab.com/security-products/semgrep@sha256:83e716069f30e9471e676b1d6ad89904b359f572f366381cb1e95d1d6daa82eb ...
Preparing environment 00:03
Running on runner-nn8vmrs9z-project-65174266-concurrent-0 via runner-nn8vmrs9z-s-l-s-amd64-1733506613-edeeeb4b...
Getting source from Git repository 00:01
Fetching changes with git depth set to 20...
Initialized empty Git repository in /builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/.git/
Created fresh repository.
Checking out 3901ed61 as detached HEAD (ref is main)...
Skipping Git submodules setup
$ git remote set-url origin "${CI_REPOSITORY_URL}"
Executing "step_script" stage of the job script 00:12
Using docker image sha256:238b20b53a20007af716a07e13563fee8c7cffd11a2b3da859f888e3ea3c6999 for registry.gitlab.com/security-products/semgrep:5 with digest registry.gitlab.com/security-products/semgrep@sha256:83e716069f30e9471e676b1d6ad89904b359f572f366381cb1e95d1d6daa82eb ...
$ /analyzer run
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶ GitLab Semgrep analyzer v5.24.0
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶ Detecting project
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶ Analyzer will attempt to analyze all projects in the repository
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶ Loading ruleset for /builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates
[WARN] [Semgrep] [2024-12-06T17:38:11Z] ▶ /builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/.gitlab/sast-ruleset.toml not found, ruleset customization will be disabled.
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶ Running analyzer
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶ 19 active rule files detected with 587 active rules
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/bandit.yml': '1d5f1383c92f36acb1d037009fe18a1f2b23e018a4b4cf6d62f779876bf4954d'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/eslint.yml': '9a0000468fb7788df7a1f0dcedab6b52f63f48bb20e23be1703d09df4f26a43d'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/find_sec_bugs.yml': '4ffaf454577a0f2570a5923eb626c5ad5cc2acb61ba69f195133446bb13ce016'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/find_sec_bugs_scala.yml': '511d1fcd1844c8c598ce2eecacf95ab876bfadb01c7740d474d007250f033a97'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/flawfinder.yml': 'c03d70d0acaf5d6f42173b0141fd1ac40fb2a61b2d9e6867d6785b56f366bf90'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/gitlab/gitlab_ee_java.yml': '4447e55e10167e94a8e720d2b4c0b468de341261c3416fd32ceb63ba15bff134'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/gitlab/gitlab_ee_javascript.yml': '428c386226edb09210df0df08ca4c2464949e948a88045694b3cfaab8079b8dc'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/gitlab_ce_python.yml': 'a1adf6cde5fa7e8ef530bd3ec122f6ac827e989f2c862aeae28a58a69c78ab6b'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/gitlab_ce_scala.yml': 'ee3d5ba84846f6c94085a1a76d3d250e68ce9c7f7502003647f7125a8667e1a3'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/gosec.yml': '2f8a4f954c8358ed4b5529be4f557190090209df1ac67bf55d24af2d755ffca0'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/lgpl-cc/brakeman.yml': '27bfe7c3e464b2786c360004c50a8e487c46f9ea7ffe011b5190696224665301'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/lgpl-cc/gitlab_lgpl_cc_java.yml': '17d681aba56265d68cbeb7e90681f2d69d8c0440714acb4940b57e9b5cb67bbb'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/lgpl-cc/gitlab_lgpl_cc_javascript.yml': 'abf15ac30a8c820f2d192a812d48f3a76e805c1cd3bee91d3b19d7c09d482519'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/lgpl-cc/gitlab_lgpl_cc_python.yml': '4fcb59e05b1bdb418ab3ce009b0af0c565fe16d255013f9f65e1981734fafbe8'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/lgpl-cc/phpcs_security_audit.yml': '7f3448e2fdbca069c55c5f34971fc48382ec1af86a973ee24614ce320494d630'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/lgpl/find_sec_bugs_kotlin.yml': '46cdf5ab58a11576cb48f87c42e587f21136e01b33b352d7444e8c74e5ae446f'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/lgpl/mobsf.yml': '18c9f0273caf79503e75cfdff7efa38fdec4a9e5f3084ebb915fe492a3446f66'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/lgpl/nodejs_scan.yml': 'f278351679f6874078ce4fd6a04b103936e944fd82936a919632d3cba2110ca8'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶  * rule file '/rules/security_code_scan.yml': 'a145b41abb93f352f70e9e7b7c335d09d0e1a95298f7fed85e35ef2fd3d7e4e8'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶ Combined rule checksum: '50cd48f2f6b045e313e5070f3e04df87c8aa93267e2f8a24321f7ba202745e1d'
[INFO] [Semgrep] [2024-12-06T17:38:11Z] ▶ Using the GitLab SAST default ruleset
[INFO] [Semgrep] [2024-12-06T17:38:12Z] ▶ METRICS: Using configs from the Registry (like --config=p/ci) reports pseudonymous rule metrics to semgrep.dev.
[INFO] [Semgrep] [2024-12-06T17:38:12Z] ▶ To disable Registry rule metrics, use "--metrics=off".
[INFO] [Semgrep] [2024-12-06T17:38:12Z] ▶ Using configs only from local files (like --config=xyz.yml) does not enable metrics.
[INFO] [Semgrep] [2024-12-06T17:38:12Z] ▶ 
[INFO] [Semgrep] [2024-12-06T17:38:12Z] ▶ More information: https://semgrep.dev/docs/metrics
[INFO] [Semgrep] [2024-12-06T17:38:12Z] ▶ 
[INFO] [Semgrep] [2024-12-06T17:38:20Z] ▶                
[INFO] [Semgrep] [2024-12-06T17:38:20Z] ▶                
[INFO] [Semgrep] [2024-12-06T17:38:20Z] ▶ ┌─────────────┐
[INFO] [Semgrep] [2024-12-06T17:38:20Z] ▶ │ Scan Status │
[INFO] [Semgrep] [2024-12-06T17:38:20Z] ▶ └─────────────┘
[INFO] [Semgrep] [2024-12-06T17:38:20Z] ▶   Scanning 104 files with 587 Code rules:
[INFO] [Semgrep] [2024-12-06T17:38:20Z] ▶   Scanning 40 files with 79 python rules.
[INFO] [Semgrep] [2024-12-06T17:38:22Z] ▶                 
[INFO] [Semgrep] [2024-12-06T17:38:22Z] ▶                 
[INFO] [Semgrep] [2024-12-06T17:38:22Z] ▶ ┌──────────────┐
[INFO] [Semgrep] [2024-12-06T17:38:22Z] ▶ │ Scan Summary │
[INFO] [Semgrep] [2024-12-06T17:38:22Z] ▶ └──────────────┘
[INFO] [Semgrep] [2024-12-06T17:38:22Z] ▶ Some files were skipped or only partially analyzed.
[INFO] [Semgrep] [2024-12-06T17:38:22Z] ▶   Scan skipped: 3 files matching .semgrepignore patterns
[INFO] [Semgrep] [2024-12-06T17:38:22Z] ▶   For a full list of skipped files, run semgrep with the --verbose flag.
[INFO] [Semgrep] [2024-12-06T17:38:22Z] ▶ 
[INFO] [Semgrep] [2024-12-06T17:38:22Z] ▶ Ran 79 rules on 40 files: 117 findings.
[INFO] [Semgrep] [2024-12-06T17:38:22Z] ▶ Creating report
[INFO] [2024-12-06T17:38:23Z] ▶ /builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/gl-report-post.json written
Uploading artifacts for successful job 00:02
Uploading artifacts...
gl-sast-report.json: found 1 matching artifact files and directories 
WARNING: Upload request redirected                  location=https://gitlab.com/api/v4/jobs/8571163423/artifacts?artifact_format=raw&artifact_type=sast new-url=https://gitlab.com
WARNING: Retrying...                                context=artifacts-uploader error=request redirected
Uploading artifacts as "sast" to coordinator... 201 Created  id=8571163423 responseStatus=201 Created token=glcbt-66
Cleaning up project directory and file based variables 00:01
Job succeeded

GitLab Advanced SAST

Running with gitlab-runner 17.4.0~pre.110.g27400594 (27400594)
  on blue-2.saas-linux-small-amd64.runners-manager.gitlab.com/default XxUrkriX, system ID: s_f46a988edce4
Resolving secrets
Preparing the "docker+machine" executor 00:08
Using Docker executor with image registry.gitlab.com/security-products/gitlab-advanced-sast:1 ...
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image registry.gitlab.com/security-products/gitlab-advanced-sast:1 ...
Using docker image sha256:e65ab495eef9b133842f3eeac11e3bd6fe70056398584498f7a97b54f5d9c9f1 for registry.gitlab.com/security-products/gitlab-advanced-sast:1 with digest registry.gitlab.com/security-products/gitlab-advanced-sast@sha256:a0f7f094e1733e817e7e940e95f9b8b8d1296a92b012d973d5bc4faca541f2c3 ...
Preparing environment 00:03
Running on runner-xxurkrix-project-65174266-concurrent-0 via runner-xxurkrix-s-l-s-amd64-1733506881-7dae55c1...
Getting source from Git repository 00:01
Fetching changes with git depth set to 20...
Initialized empty Git repository in /builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/.git/
Created fresh repository.
Checking out dd3d4163 as detached HEAD (ref is main)...
Skipping Git submodules setup
$ git remote set-url origin "${CI_REPOSITORY_URL}"
Executing "step_script" stage of the job script 01:14
Using docker image sha256:e65ab495eef9b133842f3eeac11e3bd6fe70056398584498f7a97b54f5d9c9f1 for registry.gitlab.com/security-products/gitlab-advanced-sast:1 with digest registry.gitlab.com/security-products/gitlab-advanced-sast@sha256:a0f7f094e1733e817e7e940e95f9b8b8d1296a92b012d973d5bc4faca541f2c3 ...
Successfully mounted /mnt/tmpfs for TMPDIR
$ /analyzer run
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:28Z] ▶ GitLab GitLab Advanced SAST analyzer v1.0.26
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:28Z] ▶ Detecting project
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:28Z] ▶ Analyzer will attempt to analyze all projects in the repository
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:28Z] ▶ Loading ruleset for /builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates
[WARN] [GitLab Advanced SAST] [2024-12-06T17:42:28Z] ▶ /builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/.gitlab/sast-ruleset.toml not found, ruleset customization will be disabled.
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:28Z] ▶ Running analyzer
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:28Z] ▶ isFeatureFlagEnabled: true
[WARN] [GitLab Advanced SAST] [2024-12-06T17:42:28Z] ▶ /builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/.gitlab/sast-ruleset.toml not found, ruleset customization will be disabled.
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:28Z] ▶ time="2024-12-06T17:42:28Z" level=info msg="isFeatureFlagEnabled: true"
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:29Z] ▶ {"level":"info","config":"/lightz-aio_default_config.yaml","time":"2024-12-06T17:42:29Z","caller":"config/config.go:220","message":"Using config file"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:29Z] ▶ {"level":"info","config":{"TargetDir":"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates","OutputFile":"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/gitlab-advanced-sast.sarif","Test":false,"CustomRuleSetDir":"","CustomLightzPath":"","KeepTempDir":false,"KeepBuiltinRules":false,"EnableLightzOptimization":true,"EnableCrossFile":true,"EnableGoMerge":true,"LogDirTree":true,"MaxSnippetLength":8192,"MaxSecretLines":30,"MaxMemory":1000,"MaxTargetBytes":1000000,"EnableMemoryLogging":false,"FindSecrets":false,"RedactSecrets":false,"ScaOutputPath":"","ScanOnlyFilesListPath":"","LogDebug":false,"GetSinkSourceMapping":false,"ScmRepoURI":"","ScmBranch":"","ScmRevisionId":"","ExcludePatterns":["spec","test","tests","tmp","**/node_modules","**/build","**/dist","**/assets","**/migrations","**/public","**/static/lib","**/static/js/libs","**/vendor","**/.env","**/.venv","**/.tox","**/.git","**/.github","**/.svn","**/.npm","**/.yarn","**/test","**/tests","**/*_test.go","**/*.min.js","**/*-min.js","**/.*ignore","**/*.Tests","**/*.UnitTests","**/*.ppt*","**/*.doc*","**/*.xls*","**/*.pdf","**/*.zip","**/*.tar","**/*.gz","**/*.tgz","**/*.rar","**/*.7z","**/*.bz2","**/*.xz","**/testdata","**/test_data"]},"time":"2024-12-06T17:42:29Z","caller":"config/config.go:72"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:29Z] ▶ {"level":"info","files":{"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/.gitignore":66,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/.gitlab-ci.yml":135,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/.idea/.gitignore":53,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/Pipfile":151,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/Pipfile.lock":4330,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/README.md":6271,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/commandline/HardcodedSQLExpression.py":4969,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/commandline/README.md":368,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/commandline/SubprocessPopenShellTrue.py":5470,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/commandline/pysnmp/PysnmpWeakCryptography.py":4160,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/commandline/pysnmp/README.md":811,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/commandline/pysnmp/dockerfile":181,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/commandline/pysnmp/requirements.txt":16,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/deserialization/README.md":830,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/deserialization/SerializationWithPickle.py":3503,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/.gitignore":41,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/Dockerfile":323,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/Pipfile":158,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/Pipfile.lock":1493,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/README.md":1128,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/docker-compose.yml":146,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/manage.py":665,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/myapp/__init__.py":0,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/myapp/apps.py":142,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/myapp/fixtures/initial.json":413,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/myapp/helpers.py":563,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/myapp/migrations/0001_initial.py":912,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/myapp/migrations/__init__.py":0,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/myapp/models.py":281,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/myapp/templates/index.html":3768,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/myapp/urls.py":3201,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/myapp/views.py":24247,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/myproject/__init__.py":0,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/myproject/asgi.py":170,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/myproject/settings.py":3234,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/myproject/urls.py":171,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/myproject/wsgi.py":170,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/Dockerfile":329,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/Pipfile":182,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/Pipfile.lock":1866,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/README.md":1079,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/docker-compose.yml":147,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/manage.py":665,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myapp/__init__.py":0,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myapp/admin.py":63,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myapp/apps.py":142,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myapp/fixtures/initial.json":253,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myapp/forms.py":104,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myapp/migrations/0001_initial.py":762,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myapp/migrations/__init__.py":0,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myapp/models.py":233,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myapp/templates/myapp.html":2027,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myapp/templates/mymodel/detail.html":696,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myapp/tests.py":60,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myapp/urls.py":1747,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myapp/views.py":9713,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myproject/__init__.py":0,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myproject/asgi.py":395,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myproject/settings.py":3584,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myproject/templates/base.html":686,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myproject/templates/bootstrap.html":160,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myproject/templates/root.html":284,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myproject/urls.py":925,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myproject/views.py":107,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myproject/wsgi.py":395,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/escaping/rule-use-of-mako-templates/Dockerfile":201,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/escaping/rule-use-of-mako-templates/Pipfile":170,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/escaping/rule-use-of-mako-templates/Pipfile.lock":8475,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/escaping/rule-use-of-mako-templates/README.md":1475,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/escaping/rule-use-of-mako-templates/anonymous_message_board.py":2845,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/escaping/rule-use-of-mako-templates/data.json":125,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/escaping/rule-use-of-mako-templates/docker-compose.yml":146,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/escaping/rule-use-of-mako-templates/exploit.mako":689,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/escaping/rule-use-of-mako-templates/templates/cards.mako":159,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/escaping/rule-use-of-mako-templates/templates/form.mako":1036,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/escaping/rule-use-of-mako-templates/templates/index.mako":1151,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/eval/rule-eval.py":3971,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/flask/security/injection/sql/tainted-sql-string/Dockerfile":332,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/flask/security/injection/sql/tainted-sql-string/Pipfile":210,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/flask/security/injection/sql/tainted-sql-string/Pipfile.lock":13478,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/flask/security/injection/sql/tainted-sql-string/README.md":1141,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/flask/security/injection/sql/tainted-sql-string/app.py":13554,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/flask/security/injection/sql/tainted-sql-string/docker-compose.yml":133,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/flask/security/injection/sql/tainted-sql-string/export.sql":637,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/flask/security/injection/sql/tainted-sql-string/templates/base.html":1038,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/flask/security/injection/sql/tainted-sql-string/templates/create.html":956,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/flask/security/injection/sql/tainted-sql-string/templates/edit.html":1122,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/flask/security/injection/sql/tainted-sql-string/templates/index.html":1373,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/flask/security/injection/sql/tainted-sql-string/templates/result.html":1525,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/flask/security/injection/sql/tainted-sql-string/templates/user.html":584,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/url/InsecureUrlProcessingWithUrllib.py":3346,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/url/README.md":1347,"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/url/py2_InsecureUrlProcessingWithUrllib.py":3230},"time":"2024-12-06T17:42:29Z","caller":"log/utils.go:42"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:29Z] ▶ {"level":"info","metadata":{"lightz":"1.85.56","rules":"v1.2.171","lightz-aio":"v1.1.91"},"time":"2024-12-06T17:42:29Z","caller":"ruleset/parser.go:93"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:29Z] ▶ {"level":"warn","target":"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates","time":"2024-12-06T17:42:29Z","caller":"ruleset/parser.go:276","message":"started walking"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:29Z] ▶ {"level":"warn","time":"2024-12-06T17:42:29Z","caller":"ruleset/parser.go:280","message":"found 0 go modules, reverting back to IdentityMerger"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:29Z] ▶ {"level":"warn","directory":"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/.git","time":"2024-12-06T17:42:29Z","caller":"ruleset/parser.go:318","message":"excluded directory"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:29Z] ▶ {"level":"warn","file":"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/.gitignore","time":"2024-12-06T17:42:29Z","caller":"ruleset/parser.go:322","message":"excluded file"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:29Z] ▶ {"level":"warn","file":"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/.idea/.gitignore","time":"2024-12-06T17:42:29Z","caller":"ruleset/parser.go:322","message":"excluded file"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:29Z] ▶ {"level":"warn","file":"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/.gitignore","time":"2024-12-06T17:42:29Z","caller":"ruleset/parser.go:322","message":"excluded file"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:29Z] ▶ {"level":"warn","directory":"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-raw/myapp/migrations","time":"2024-12-06T17:42:29Z","caller":"ruleset/parser.go:318","message":"excluded directory"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:29Z] ▶ {"level":"warn","directory":"/builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/django/security/injection/sql/sql-injection-rawsql/myapp/migrations","time":"2024-12-06T17:42:29Z","caller":"ruleset/parser.go:318","message":"excluded directory"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:29Z] ▶ {"level":"info","time":"2024-12-06T17:42:29Z","caller":"log/utils.go:21","message":"parse finished in 3.902675ms"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:29Z] ▶ {"level":"info","time":"2024-12-06T17:42:29Z","caller":"cmd/cmd.go:129","message":"going to run lightz"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:42:29Z] ▶ {"level":"info","command":"/mnt/tmpfs/oxeye-1385322575/lightz -json_time -json_nodots -j 1 -targets /mnt/tmpfs/oxeye-1385322575/targets.json -timeout 30 -timeout_threshold 3 -max_memory 1000 -fast -timeout_for_interfile_analysis 0 -deep_inter_file -rules /mnt/tmpfs/oxeye-1385322575/plain_rules.json -encrypted_rules /mnt/tmpfs/oxeye-1385322575/rules.enc.json -lightz_optimization","time":"2024-12-06T17:42:29Z","caller":"lightz/lightz.go:151","message":"Executing Lightz"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:43:42Z] ▶ {"level":"info","time":"2024-12-06T17:43:42Z","caller":"log/utils.go:21","message":"lightz finished in 1m12.614366813s"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:43:42Z] ▶ {"level":"info","time":"2024-12-06T17:43:42Z","caller":"cmd/cmd.go:158","message":"lightz finished"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:43:42Z] ▶ {"level":"info","time":"2024-12-06T17:43:42Z","caller":"cmd/cmd.go:190","message":"converting to Sarif"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:43:42Z] ▶ {"level":"info","stats":{"okfiles":0,"errorfiles":0},"time":"2024-12-06T17:43:42Z","caller":"format/sarif.go:78","message":"lightz stats"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:43:42Z] ▶ {"level":"info","properties":{"languages":{"":{"":{"type":"unknown","extensions":["",".lock"]}},"dockerfile":{"Dockerfile":{"type":"programming","extensions":[""]}},"html":{"HTML":{"type":"markup","extensions":[".html"]}},"json":{"JSON":{"type":"data","extensions":[".json"]}},"markdown":{"Markdown":{"type":"prose","extensions":[".md"]}},"python":{"Python":{"type":"programming","extensions":[".py"]}},"sql":{"SQL":{"type":"data","extensions":[".sql"]}},"text":{"Mako":{"type":"programming","extensions":[".mako"]},"Text":{"type":"prose","extensions":[".txt"]}},"yaml":{"YAML":{"type":"data","extensions":[".yml"]}}},"lightz":"1.85.56","lightz-aio":"v1.1.91","rules":"v1.2.171"},"time":"2024-12-06T17:43:42Z","caller":"format/sarif.go:234","message":"constructing SARIF with these properties"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:43:42Z] ▶ {"level":"info","scm-repo-uri":"","scm-branch":"","scm-revision-id":"","time":"2024-12-06T17:43:42Z","caller":"format/sarif.go:251","message":"going to add scm version details"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:43:42Z] ▶ {"level":"warn","time":"2024-12-06T17:43:42Z","caller":"format/sarif.go:257","message":"skipped adding scm version details"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:43:42Z] ▶ {"level":"info","time":"2024-12-06T17:43:42Z","caller":"cmd/cmd.go:222","message":"running secrets handler on /builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:43:42Z] ▶ {"level":"info","time":"2024-12-06T17:43:42Z","caller":"cmd/cmd.go:229","message":"found 0 secrets"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:43:42Z] ▶ {"level":"info","time":"2024-12-06T17:43:42Z","caller":"cmd/cmd.go:268","message":"converting report to bytes"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:43:42Z] ▶ {"level":"info","time":"2024-12-06T17:43:42Z","caller":"cmd/cmd.go:43","message":"writing report to /builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/gitlab-advanced-sast.sarif"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:43:42Z] ▶ {"level":"info","time":"2024-12-06T17:43:42Z","caller":"cmd/cmd.go:315","message":"finished successfully"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:43:42Z] ▶ {"level":"info","time":"2024-12-06T17:43:42Z","caller":"log/utils.go:21","message":"main finished in 1m13.237184263s"}
[INFO] [GitLab Advanced SAST] [2024-12-06T17:43:42Z] ▶ Creating report
[INFO] [2024-12-06T17:43:42Z] ▶ /builds/philipcunningham/manual-qa-set-cache-empty-n-sast-latest-ci-templates/gl-sast-report-post.json written
Uploading artifacts for successful job 00:03
Uploading artifacts...
gl-sast-report.json: found 1 matching artifact files and directories 
WARNING: Upload request redirected                  location=https://gitlab.com/api/v4/jobs/8571191049/artifacts?artifact_format=raw&artifact_type=sast new-url=https://gitlab.com
WARNING: Retrying...                                context=artifacts-uploader error=request redirected
Uploading artifacts as "sast" to coordinator... 201 Created  id=8571191049 responseStatus=201 Created token=glcbt-66
Cleaning up project directory and file based variables 00:00
Job succeeded

SAST IaC

Running with gitlab-runner 17.4.0~pre.110.g27400594 (27400594)
  on blue-3.saas-linux-small-amd64.runners-manager.gitlab.com/default zxwgkjAP, system ID: s_d5d3abbdfd0a
Resolving secrets
Preparing the "docker+machine" executor 00:06
Using Docker executor with image registry.gitlab.com/security-products/kics:5 ...
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image registry.gitlab.com/security-products/kics:5 ...
Using docker image sha256:abc1abaac35929f06f8997490aa0cbc4f1cda55ac82a521e65a7040bcb2b5aa8 for registry.gitlab.com/security-products/kics:5 with digest registry.gitlab.com/security-products/kics@sha256:92fbedd5026d89f24e445825d4f3e19ddc354d717fd91790cf9b6ba8f2591c82 ...
Preparing environment 00:01
Running on runner-zxwgkjap-project-65174456-concurrent-0 via runner-zxwgkjap-s-l-s-amd64-1733507224-f812c995...
Getting source from Git repository 00:01
Fetching changes with git depth set to 20...
Initialized empty Git repository in /builds/philipcunningham/manual-qa-set-cache-empty-ia-c-latest-ci-templates/.git/
Created fresh repository.
Checking out b57665d2 as detached HEAD (ref is main)...
Skipping Git submodules setup
$ git remote set-url origin "${CI_REPOSITORY_URL}"
Executing "step_script" stage of the job script 00:29
Using docker image sha256:abc1abaac35929f06f8997490aa0cbc4f1cda55ac82a521e65a7040bcb2b5aa8 for registry.gitlab.com/security-products/kics:5 with digest registry.gitlab.com/security-products/kics@sha256:92fbedd5026d89f24e445825d4f3e19ddc354d717fd91790cf9b6ba8f2591c82 ...
$ /analyzer run
[INFO] [kics] [2024-12-06T17:48:13Z] ▶ GitLab kics analyzer v5.9.0
[INFO] [kics] [2024-12-06T17:48:13Z] ▶ Detecting project
[INFO] [kics] [2024-12-06T17:48:13Z] ▶ Analyzer will attempt to analyze all projects in the repository
[INFO] [kics] [2024-12-06T17:48:13Z] ▶ Loading ruleset for /builds/philipcunningham/manual-qa-set-cache-empty-ia-c-latest-ci-templates
[WARN] [kics] [2024-12-06T17:48:13Z] ▶ /builds/philipcunningham/manual-qa-set-cache-empty-ia-c-latest-ci-templates/.gitlab/sast-ruleset.toml not found, ruleset customization will be disabled.
[INFO] [kics] [2024-12-06T17:48:13Z] ▶ Running analyzer
[INFO] [kics] [2024-12-06T17:48:13Z] ▶ path /builds/philipcunningham/manual-qa-set-cache-empty-ia-c-latest-ci-templates
[INFO] [kics] [2024-12-06T17:48:41Z] ▶ Creating report
Uploading artifacts for successful job 00:03
Uploading artifacts...
gl-sast-report.json: found 1 matching artifact files and directories 
WARNING: Upload request redirected                  location=https://gitlab.com/api/v4/jobs/8571226379/artifacts?artifact_format=raw&artifact_type=sast new-url=https://gitlab.com
WARNING: Retrying...                                context=artifacts-uploader error=request redirected
Uploading artifacts as "sast" to coordinator... 201 Created  id=8571226379 responseStatus=201 Created token=glcbt-66
Cleaning up project directory and file based variables 00:00
Job succeeded

Upgrade path for users scanning cache directories

If you are currently relying on SAST scanning your cache directories, you can override the new default cache: [] setting by extending the SAST jobs in your .gitlab-ci.yml:

sast: # or the specific analyzer job you want to enable caching for
  cache:
    paths:
      - your/cache/path

However, we recommend scanning code in your source location rather than in cache directories for more reliable and predictable results.

Edited by Philip Cunningham

Merge request reports