the SAST job does not appear in Gitlab pipeline

Question

I'm a newcomer to GitLab, and I'm attempting to execute a Static Application Security Testing (SAST) analysis on a demonstration project within GitLab. Despite my best efforts, I only see a "Test Job" without any SAST-related information. I'm utilizing GitLab version 15.0.1, which I've installed on a virtual machine to replicate the environment I'll eventually deploy. I've experimented with various configurations, and I'm uncertain which screenshots or code snippets to provide. However, based on my numerous attempts, it seems that SAST may not be active (I checked and it is enabled) on my instance, despite it being enabled in the settings. The user interface is missing options that are documented in GitLab's documentation.

I anticipated a separate SAST job to be visible. Do I need to configure certain settings when running the repository? I'm utilizing my own managed runner with a Docker executor (that run on same VM) from a compatible version, and I've verified that the CPU architecture is set to amd64 as required.

The run itself was successful, only SAST isn't avaliable.

Answer 1

You should have a test stage and the relevant sast yml import in your gitlab-ci.yml file.

The sast jobs also need to be able to download docker images to run so your runner needs to be able to run docker images (if you have a shell runner for example it won’t work).

Answer 2

Verify SAST is Enabled: Double-check that SAST is enabled for your project. Navigate to your project's settings, then go to "Security & Compliance" > "SAST" and ensure that the SAST checkbox is selected.

Check CI/CD Configuration: Review your .gitlab-ci.yml file in your project repository. Make sure that you have the necessary SAST-related configurations. Here's a minimal example:

include:
- template: Security/SAST.gitlab-ci.yml
stages:
  - test

sast:
  stage: test
  artifacts:
    reports:
      sast: gl-sast-report.json

SAST runs in the test stage, which is available by default. If you redefine the stages in the .gitlab-ci.yml file, the test stage is required.

To run SAST jobs, by default, you need GitLab Runner with the docker or kubernetes executor. If you’re using the shared runners on GitLab.com, this is enabled by default.

Note: GitLab SAST analyzers don’t support running on Windows or on any CPU architectures other than amd64.

Note: If you use your own runners, make sure the Docker version installed is not 19.03.0. See troubleshooting information for details.