Search code examples
gitlabgitlab-cigitlab-ci-runnergitlab-ce

Changing Gitlab SAST json report names

Issue

Note: My CI contains a code complexity checker which can be ignored. This question is mainly focused on SAST.

I have recently setup a SAST pipeline for one of my Gitlab projects. The Gitlab-ce and Gitlab-runner instances are self-hosted. When the SAST scan is completed, the downloaded artifacts / json reports all contain the same name gl-sast-report.json. In this example, the artifacts bandit-sast and semgrep-sast both product gl-sast-report.json when downloaded.

SAST configuration

stages:
- CodeScan
- CodeComplexity

sast:
  stage: CodeScan
  tags:
    - sast

code_quality:
  stage: CodeComplexity
  artifacts:
    paths: [gl-code-quality-report.json]
  services:
  tags:
    - cq-sans-dind

include:
- template: Security/SAST.gitlab-ci.yml
- template: Code-Quality.gitlab-ci.yml

Completed SAST results

enter image description here
enter image description here

End Goal

  1. If possible, how could I change the name of the artifacts for bandit-sast and semgrep-sast?
  2. If question one is possible, does this mean I have to manually specify each analyser for various projects. Currently, based on my .gitlab-ci.yml the SAST analysers are automatically detected based on the project language.
Solution

  • If you're using the pre-built SAST images, this isn't possible, even if you run the docker command manually like so:

    docker run --volume "$PWD":/code --env=LM_REPORT_VERSION="2.1" --env=CI_PROJECT_DIR=/code registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:latest

    When using these SAST (and DAST) images, the report file will always have the name in the docs, however if you ran the docker command manually like above, you could rename the file before it's uploaded as an artifact, but it would still have the same json structure/content.

    Run License Scanning Analyzer:
  stage: sast
  script:
    - docker run --volume "$PWD":/code --env=LM_REPORT_VERSION="2.1" --env=CI_PROJECT_DIR=/code registry.gitlab.com/gitlab-org/security-products/analyzers/license-finder:latest
    - mv gl-license-scanning-report.json license-scanning-report.json
  artifacts:
    reports:
      license_scanning: license-scanning-report.json

    The only way to change the json structure/content is to implement the SAST tests manually without using the provided images at all. You can see all the available SAST analyzers in this Gitlab repo.

    For the License Finder analyzer as an example, the Dockerfile says the entrypoint for the image is the run.sh script.

    You can see on line 20 of run.sh it sets the name of the file to 'gl-license-scanning-report.json', but we can change the name by running the docker image manually so this doesn't really help. However, we can see that the actual analyzing comes from the scan_project function, which you could replicate.

    So while it is possible to manually run these analyzers without the pre-built images, it will be much more difficult to get them to work.