We are introducing a major change for the SAST job definition for Auto DevOps with GitLab 11.6, shipping Dec. 22. As a result, SAST jobs will fail after the upgrade to GitLab 11.6 if they are picked up by a version of GitLab Runner prior to 11.5. The jobs will fail, but they will not block pipelines. However, you won't see results for SAST in the merge request or at the pipeline level anymore.
The same change will happen for Dependency Scanning, Container Scanning, DAST, and License Management in future releases.
Why did this happen?
The new job definition uses the
reports syntax, which is necessary to show SAST results in the Group Security Dashboard.
Unfortunately, this syntax is not supported by GitLab Runner prior to 11.5.
Who is affected?
You are affected by this change if you meet all the requirements in the following list:
- You are using Auto DevOps AND
- you have at least one GitLab Runner 11.4 or older set up for your projects AND
- you are interested in security reports.
Who is not affected?
You are not affected by this change if you meet at least one of the requirements in the following list:
- You are not using Auto DevOps OR
- you are using only GitLab Runner 11.5 or newer OR
- you are using only shared runners on GitLab.com (we already upgraded them) OR
- you are not interested in security reports.
How to solve the problem
If you are not affected by the change, you don't need to take any action.
If you are affected, you should upgrade your GitLab Runners to version 11.5 or newer as soon as possible. If you don't, you will not have new SAST reports until you do upgrade. If you upgrade your runners later, SAST will start to work again correctly.
Which is the expected timeline?
GitLab 11.6 will be released on Dec. 22. This change may also be shipped in an early release candidate (RC) version.
If you are using a self-managed GitLab instance, and you don't install RC versions, you will be affected when you'll upgrade to GitLab 11.6.
If you are using GitLab.com, you will be affected as soon as the RC version with the change will be deployed.
Feel free to reach out to us with any further questions!