SAST scanning fails intermittently

Example of a job where the SAST scanning fails

Job #562578827 failed for 98c47954:

docker: error during connect: Post http://docker:2375/v1.40/containers/create: dial tcp: lookup docker on 169.254.169.254:53: no such host.

From Slack thread

@fcatteau license-scanning works fine so this might be related to sast, and in that case the legacy SAST orchestrator (Docker-in-Docker)

by the way, the CI configuration implicitly enables the Docker-in-Docker orchestrator for SAST even though the no-DinD is now the default https://gitlab.com/gitlab-org/security/gitlab-pages/-/blob/master/.gitlab-ci.yml#L63 see gitlab#218541 (closed)

the important difference between sast and license-scanning is that the former explicitly calls docker run whereas the latter sets the image.name in its job definition. this might explain why License Scanning works. I'm able to pull registry.gitlab.com/gitlab-org/security-products/sast:2 though

I suggest you override the rules of the *-sast jobs triggered for this project, and don't override sast anymore. could you try that in a MR? also, I suggest you share this with #g_secure-static-analysis

actually you only need to override secrets-sast and gosec-sast . see https://gitlab.com/gitlab-org/security/gitlab-pages/-/jobs/548248714#L192