I have custom SAST tool as a gitlab project and I'm using it to scan projects with the SAST project's pipeline. After each scan, it will generate an artifact (gl-sast-report.json). But this artifact will be publish in the SAST project.
For example (SAST pipeline; a.k.a project A):
- Triggered to scan project B
- Artifact (gl-sast-report) generated but stored in Project A, cause the pipeline ran on Project A.
How can I make the artifact (gl-sast-report) to be publish/upload/push to Project B instead? So that the project owners will know of the vulnerabilities in their code.
Having the gl-sast-report in Project A (SAST project) doesn't help as it will not notify project owners of the vulnerabilities that it found.
Constraints: I cannot touch Project B at all. So only 1 way uploading from Project A. I'm not limited to only use gitlab as a solution. I tried a few ways, but all of them require Project B to download the artifacts.