Gitlab CI SAST在后续阶段访问gl-sast-report.json工件

时间:2020-10-06 19:32:28

标签: gitlab gitlab-ci

我想在CI的后续阶段中使用在SAST流程中创建的gl-sast-report.json文件,但找不到该文件。

ci.yml 

include:
  - template: Security/SAST.gitlab-ci.yml

stages:
  - test
  - .post
sast:
  rules:
    - if: $CI_COMMIT_TAG

send-reports:
  stage: .post
  dependencies: 
    - sast
  script: 
    - ls
    - echo "in post stage"
    - cat gl-sast-report.json

输出: 

Running with gitlab-runner 13.2.1 (efa30e33)
on blah blah blah
Preparing the "docker" executor
00:01
.
.
.

Preparing environment
00:01
Running on runner-zqk9bcef-project-4296-concurrent-0 via ff93ba7b6ee2...
Getting source from Git repository
00:01
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in blah blah
Checking out 9c2edf67 as 39-test-dso...
Removing gl-sast-report.json
Skipping Git submodules setup
Executing "step_script" stage of the job script
00:03
$ ls
<stuff in the repo>
$ echo "in .post stage"
in post stage
$ cat gl-sast-report.json
cat: can't open 'gl-sast-report.json': No such file or directory
ERROR: Job failed: exit code 1

您可以看到我认为是问题的Removing gl-sast-report.json行。

我看不到https://gitlab.com/gitlab-org/gitlab/-/blob/v11.11.0-rc2-ee/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml#L33-45的SAST.gitlab-ci.yml中的任何地方

关于如何在CI管道的下一阶段中使用此工件的任何想法?

更新:

因此,我在下面尝试了k33g_org的建议,但无济于事。似乎这是由于sast模板中的限制所致。做了以下测试。

include:
  - template: Security/SAST.gitlab-ci.yml

stages:
  - test
  - upload

something:
  stage: test
  script:
      - echo "in something"
      - echo "this is something" > something.txt
  artifacts:
      paths: [something.txt]

sast:
  before_script:
      - echo "hello from before sast"
      - echo "this is in the file" > test.txt
  artifacts:
    reports:
      sast: gl-sast-report.json
    paths: [gl-sast-report.json, test.txt]

send-reports:
  stage: upload
  dependencies:
    - sast
    - something
  before_script:
      - echo "This is the send-reports before_script"
  script:
    - echo "in send-reports job"
    - ls
  artifacts:
      reports:
          sast: gl-sast-report.json

三个变化:

  1. 根据k33g_org的建议更新了代码
  2. 在sast作业中创建了另一个工件(以查看它是否会传递到发送报告作业中)
  3. 创建了一个新作业(某物),在其中我创建了一个新的 something.txt 工件(以查看它是否可以传递给发送报告作业)

输出:

Preparing environment
00:01
Running on runner-zqx7qoq-project-4296-concurrent-0 via e3fe672984b4...
Getting source from Git repository
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in /<repo>
Checking out 26501c44 as <branch_name>...
Removing something.txt
Skipping Git submodules setup
Downloading artifacts
00:00
Downloading artifacts for something (64950)...
Downloading artifacts from coordinator... ok        id=64950 
responseStatus=200 OK token=zoJwysdq
Executing "step_script" stage of the job script
00:01
$ echo "This is the send-reports before_script"
This is the send-reports before_script
$ echo "in send-reports job"
in send-reports job
$ ls
...<other stuff in repo>
something.txt
Uploading artifacts for successful job
00:01
Uploading artifacts...
WARNING: gl-sast-report.json: no matching files    
ERROR: No files to upload                          
Cleaning up file based variables
00:01
Job succeeded

注意:

  • something.txt完成了这项工作
  • 所有不正常的工件,以至于无法继续进行后续工作

我只能得出结论,sast模板内部存在某些不允许工件传播到后续作业的东西。

2 个答案:

答案 0 :(得分:1)

在第一份工作(sast)中添加:

  artifacts:
    paths: [gl-sast-report.json]
    reports:
      sast: gl-sast-report.json

并在下一个作业(send-reports)中添加

  artifacts:
    reports:
      sast: gl-sast-report.json

然后,您应该可以在下一个作业(send-reports)中访问报告

答案 1 :(得分:1)

不要将 gl-sast-report.json 工件引用为 sast 报告,而是将其引用为常规工件。

所以你应该做的是这样声明工件

artifacts:
  paths:
    - 'gl-sast-report.json'

代替

reports:
  sast: gl-sast-report.json
相关问题
最新问题