0

I have a React.js project with a GitLab-CI configuration that includes SAST scanning. However, I'm running into an issue where the compliance job is unable to find the gl-sast-report.json file generated by the SAST scanner, even though the file is present in the artifacts.

Uploading artifacts... WARNING: gl-sast-report.json: no matching files. Ensure that the artifact path is relative to the working directory (/builds/front0/ntrack)

Based on code from Gitlab SAST solution:

  NODE_IMAGE: node:18.16.0
  ALPINE_IMAGE: alpine:3.14.2
  SAST_REPORT_FILE: "gl-sast-report.json"
  TEMPLATE_REGISTRY_HOST: 'registry.gitlab.com'
  SECURE_ANALYZERS_PREFIX: "$TEMPLATE_REGISTRY_HOST/security-products"
  SAST_IMAGE_SUFFIX: ""

stages:
  - test
  - compliance

include:
  - template: Jobs/SAST-IaC.latest.gitlab-ci.yml

.iac-sast:
  stage: test
  artifacts:
    paths:
      - "${SAST_REPORT_FILE}"
  allow_failure: true
  script:
    - /analyzer run

Kics-iac-sast:
  stage: test
  extends: iac-sast
  image:
    name: "${SAST_ANALYZER_IMAGE}"
  variables:
    SAST_ANALYZER_IMAGE_TAG: 3
    SAST_ANALYZER_IMAGE: "${SECURE_ANALYZERS_PREFIX}/kics:${SAST_ANALYZER_IMAGE_TAG}${SAST_IMAGE_SUFFIX}"

Enforce SAST Compliance:
  image: ${ALPINE_IMAGE}
  stage: compliance
  artifacts:
    paths:
      - "${SAST_REPORT_FILE}"
  variables:
    FILE: "${SAST_REPORT_FILE}"
  before_script:
    - apk add jq
  script:
    - jq -r '.vulnerabilities[] | select(.severity == "Critical") | (.severity, .message, .location, .identifiers[].url)' $FILE > results.txt
    - chmod u+x sast-results-check.sh
    - ./sast-results-check.sh
  dependencies:
    - Kics-iac-sast
  allow_failure: false

I've also seen suggestions that this issue might be related to having a non-Ultimate GitLab account and GitLab disallowing interaction with the report file, but I'm not sure if that's the case.

I tried adding the build directory to the report URL but still could not get the gl-sast-report.json found. Though the actual file is actually generated and is sitting in the artifacts.

Additionally, I also checked if the file path in the variables section is correctly pointing to the generated file. However, I still get the same error message.

What could be causing this error and how can I fix it? Any suggestions for how to resolve this issue and get the gl-sast-report.json file to be found by the compliance job would be greatly appreciated.

Welsh
  • 39
  • 1
  • 12
  • Check to see that your SAST job is actually creating the output to upload, a after_script: - find . may help you see if the file is there. – cgseller Jun 07 '23 at 17:49

0 Answers0