Skip to content

Fail pipelines if GItLab scanners do not succeed

David Diederich requested to merge fail-hard-for-scanners into master

GitLab scanners (SAST, Dependency, etc) exit with success when the scan was able to complete, and failure when it could not run. Their exit status has no correlation with whether or not they have found vulnerabilities or not.

By default, these jobs are marked as "allow_failure" so that if the scan cannot run for some reason, the job is skipped and the pipeline proceeds. In theory, this helps developers carry on with their task and come back to the scanner failures later. In practice, scanner failures are ignored and neglected for months, giving the impression in the security dashboard that vulnerabilities have been addressed. This is particular insidious when looking at the aggregate vulnerability dashboard, since some vulnerabilities from other projects are shown and it is difficult to notice the absence of a particular service from the list.

This MR changes this status to remove the flag. As a result, pipelines will be considered failed if the scanner is unable to execute. The MR author may not be able to fix the issue, but by creating this hard failure it will initiate seeking out the necessary assistance from Maintainers to review the scanner and find a solution.

Testing

Multi Pipeline testing in all projects that include scanners/gitlab-ultimate.yml.

Edited by David Diederich

Merge request reports

Loading