Explain new sast / dependency_scanning error that was introduced in 13.4

What does this MR do?

Explains the error [sast|dependency_scanning] is used for configuration only, and its script should not be executed

Customer raised a ticket for it, as they were adding rules to sast in 12.x and when they upgraded to 13.5 their CI started generating this error.

Related issues

Author's checklist (required)

• Follow the Documentation Guidelines and Style Guide.
• If you have Developer permissions or higher:
  • Ensure that the product tier badge is added to doc's h1.
  • Apply the documentation label, plus:
    • The corresponding DevOps stage and group labels, if applicable.
    • development guidelines when changing docs under doc/development/*, CONTRIBUTING.md, or README.md.
    • development guidelines and Documentation guidelines when changing docs under development/documentation/*.
    • development guidelines and Description templates (.gitlab/*) when creating/updating issue and MR description templates.
  • Assign the designated Technical Writer.

Do not add the feature, frontend, backend, ~"bug", or database labels if you are only updating documentation. These labels will cause the MR to be added to code verification QA issues.

When applicable:

• Update the permissions table.
• Link docs to and from the higher-level index page, plus other related docs where helpful.
• Add the product tier badge accordingly.
• Add GitLab's version history note(s).
• Add/update the feature flag section.

Review checklist

All reviewers can help ensure accuracy, clarity, completeness, and adherence to the Documentation Guidelines and Style Guide.

1. Primary Reviewer

• Review by a code reviewer or other selected colleague to confirm accuracy, clarity, and completeness. This can be skipped for minor fixes without substantive content changes.

2. Technical Writer

• Technical writer review. If not requested for this MR, must be scheduled post-merge. To request for this MR, assign the writer listed for the applicable DevOps stage.
  • Ensure docs metadata are present and up-to-date.
  • Ensure Technical Writing and documentation are added.
  • Add the corresponding docs:: scoped label.
  • If working on UI text, add the corresponding UI Text scoped label.
  • Add twdoing when starting work on the MR.
  • Add twfinished if Technical Writing team work on the MR is complete but it remains open.

For more information about labels, see Technical Writing workflows - Labels.

For suggestions that you are confident don't need to be reviewed, change them locally and push a commit directly to save others from unneeded reviews. For example:

• Clear typos, like this is a typpo.
• Minor issues, like single quotes instead of double quotes, Oxford commas, and periods.

For more information, see our documentation on Merging a merge request.

3. Maintainer

1. Review by assigned maintainer, who can always request/require the above reviews. Maintainer's review can occur before or after a technical writer review.
2. Ensure a release milestone is set.
3. If there has not been a technical writer review, create an issue for one using the Doc Review template.

added Support Team Contributions documentation labels

	1 Message
	This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge.

Documentation review

The following files require a review from a technical writer:

• doc/user/application_security/dependency_scanning/index.md
• doc/user/application_security/index.md
• doc/user/application_security/sast/index.md

The review does not need to block merging this merge request. See the:

• Technical Writers assignments for the appropriate technical writer for this review.
• Documentation workflows for information on when to assign a merge request for review.

If needed, you can retry the danger-review job that generated this comment.

Generated by Danger

added 1 commit

• cca58227 - Explain 13.4 new SAST or DS error message

Compare with previous version

assigned to @rdickenson

changed milestone to %13.6

added devopssecure label

added groupstatic analysis label

added Category:SAST label

added Category:Dependency Scanning [DEPRECATED] label

assigned to @fcatteau

This change was triggered by a customer ticket and a zoom call we did with them.

@fcatteau - as author of !41260 (merged) please can you check the technical accuracy; ie that where customers are modifying their DS or SAST jobs wholesale, they should use .ds-analyzer and .sast-analyzer now.

(example: adding rules so SAST jobs don't run on every feature branch, only certain specific branches)

@rdickenson - any TW feedback would be great . I'll take another look at this when the review app has deployed.

resolved all threads

added 1 commit

• f7e37279 - Apply 5 suggestion(s) to 3 file(s)

Compare with previous version

added sectionsec label

@bprescott_ Thanks for catching this! Indeed, we should mention this limitation in the docs. That said, it should be possible to override sast and dependency_scanning, and that's something we leverage in the configuration UI. What's not allowed is to enable these jobs by changing their rules. Does this clarify the behavior? Am I missing something?

assigned to @bprescott_ and unassigned @fcatteau and @rdickenson

added 167 commits

• f7e37279...70084dd3 - 166 commits from branch master
• 8a0b0dff - Explain 13.4 new SAST or DS error message

Compare with previous version

assigned to @fcatteau and @rdickenson and unassigned @bprescott_

@bprescott_ Thanks for updating the MR! I suggest we focus on the limitations of sast and dependency_scanning, and keep it as short as possible. Reading this it feels like there are gaps in the documentation of SAST and Dependency Scanning, and your addition to the troubleshooting sections is filling the gaps. cc @rdickenson

Re-assigning to you, and assigning to @theoretick as well. Not only does it touch SAST (owned by groupstatic analysis), but I need a second opinion on this tricky change anyways.

assigned to @theoretick and @bprescott_ and unassigned @fcatteau

unassigned @theoretick

changed milestone to %13.7

added missed:13.6 label

changed milestone to %13.8

added missed:13.7 label

added 1 commit

• 2aae0893 - Apply 1 suggestion(s) to 1 file(s)

Compare with previous version

added 1 commit

• c9e709e0 - Apply 1 suggestion(s) to 1 file(s)

Compare with previous version

unassigned @rdickenson

added 9392 commits

• c9e709e0...734994d4 - 9391 commits from branch master
• bf838ad8 - Explain 13.4 new SAST or DS error message

Compare with previous version

changed milestone to %13.9

assigned to @rdickenson and unassigned @bprescott_

added 1 commit

• 3f72003f - Explain 13.4 new SAST or DS error message

Compare with previous version

approved this merge request

added 542 commits

• 3f72003f...2e0423a9 - 541 commits from branch master
• 0387816b - Explain 13.4 new SAST or DS error message

Compare with previous version

requested review from @rdickenson

added 1 commit

• ff6e076c - Apply 1 suggestion(s) to 1 file(s)

Compare with previous version

added 1 commit

• e5577c26 - Apply 1 suggestion(s) to 1 file(s)

Compare with previous version

added Technical Writing label

added docsimprovement label

added 1 commit

• 8c9ead34 - Apply 1 suggestion(s) to 1 file(s)

Compare with previous version

approved this merge request

resolved all threads

@bprescott_ - I've reviewed, approved, and merged this MR.

merged

mentioned in commit 7e5360bf

added workflowstaging label

added workflowcanary label and removed workflowstaging label

added workflowproduction label and removed workflowcanary label

added releasedcandidate label

mentioned in issue #218541 (closed)

added typemaintenance label

added Category:Software Composition Analysis SCA:Dependency Scanning labels