What Happens When You Include These Templates?

include:
  - template: Code-Quality.gitlab-ci.yml
  - template: Jobs/SAST.gitlab-ci.yml

1. Code-Quality.gitlab-ci.yml

• This template defines one or more jobs that analyze your source code to detect code quality issues.
• It typically runs linters, static analyzers, and formatters.
• The goal is to detect problems like:
  • Code style violations
  • Complexity issues
  • Deprecated APIs or usage
  • Potential bugs or code smells

For Python projects, the Code Quality job usually runs a tool like flake8 or eslint (for JavaScript). GitLab’s default image for Code Quality is typically based on Node.js and other tools, but you can customize it.

The output is a code quality report — a JSON file (gl-code-quality-report.json) that GitLab uses to show inline feedback in merge requests (like highlighting lines that need fixing).

2. Jobs/SAST.gitlab-ci.yml

• This template runs Static Application Security Testing (SAST) jobs.
• It scans your code for security vulnerabilities using specialized tools.
• For Python, GitLab uses a scanner like Bandit, which looks for security issues like:
  • Use of insecure functions or libraries
  • Injection vulnerabilities
  • Hardcoded secrets
  • Insecure file handling
• The results appear in the Security Dashboard and in merge requests under the Security tab.

How Does It Work Internally?

• When you include these templates, GitLab:
  1. Adds predefined jobs to your pipeline automatically.
  2. Those jobs run inside Docker containers with the appropriate environment and tools installed.
  3. They analyze your repository files, based on the detected language(s).
  4. Results are collected, formatted, and uploaded as artifacts.
  5. GitLab uses those artifacts to render reports and feedback in your GitLab UI.

Do These Templates Have Secure Coding Python Rules?

• SAST (Jobs/SAST.gitlab-ci.yml) does include Python-specific security rules — because it runs tools like Bandit by default.