Skip to content
Latchkey

GitLab CI DAST/SAST Template Job Failed

GitLab security templates (Jobs/SAST.gitlab-ci.yml, DAST.gitlab-ci.yml) inject scanner jobs. They fail when the required stage is missing, DAST has no target URL, an analyzer is unsupported, or the analyzer image cannot be pulled.

What this error means

A security scanning job (sast, dast, or an analyzer like semgrep-sast) fails, often noting a missing stage, missing DAST_WEBSITE, or an analyzer image pull error.

gitlab-ci
dast: DAST_WEBSITE is not set; no target to scan
job 'semgrep-sast' could not find stage 'test'
ERROR: failed to pull analyzer image (i/o timeout)

Common causes

Required stage missing

SAST analyzers run in the test stage; if stages: does not include it, the job has nowhere to run.

DAST has no target

DAST needs DAST_WEBSITE (or an environment URL) to know what to scan.

Transient analyzer image pull failure

A momentary registry or network issue can fail the analyzer image pull.

How to fix it

Add the required stage and DAST target

Include the test stage and provide DAST a target URL.

.gitlab-ci.yml
stages: [test, dast]

include:
  - template: Jobs/SAST.gitlab-ci.yml
  - template: DAST.gitlab-ci.yml

variables:
  DAST_WEBSITE: 'https://staging.example.com'

Retry transient analyzer pulls

  1. Re-run the failed analyzer job if the failure was an image pull timeout.
  2. Pin analyzer versions to avoid surprise breakages.
  3. Confirm the runner can reach the analyzer registry.

How to prevent it

  • Define the stages the security templates expect (test, dast).
  • Always set a DAST target URL for DAST scans.
  • Pin analyzer versions and ensure registry reachability.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →