GitLab CI DAST/SAST Template Job Failed
GitLab security templates (Jobs/SAST.gitlab-ci.yml, DAST.gitlab-ci.yml) inject scanner jobs. They fail when the required stage is missing, DAST has no target URL, an analyzer is unsupported, or the analyzer image cannot be pulled.
What this error means
A security scanning job (sast, dast, or an analyzer like semgrep-sast) fails, often noting a missing stage, missing DAST_WEBSITE, or an analyzer image pull error.
dast: DAST_WEBSITE is not set; no target to scan
job 'semgrep-sast' could not find stage 'test'
ERROR: failed to pull analyzer image (i/o timeout)Common causes
Required stage missing
SAST analyzers run in the test stage; if stages: does not include it, the job has nowhere to run.
DAST has no target
DAST needs DAST_WEBSITE (or an environment URL) to know what to scan.
Transient analyzer image pull failure
A momentary registry or network issue can fail the analyzer image pull.
How to fix it
Add the required stage and DAST target
Include the test stage and provide DAST a target URL.
stages: [test, dast]
include:
- template: Jobs/SAST.gitlab-ci.yml
- template: DAST.gitlab-ci.yml
variables:
DAST_WEBSITE: 'https://staging.example.com'Retry transient analyzer pulls
- Re-run the failed analyzer job if the failure was an image pull timeout.
- Pin analyzer versions to avoid surprise breakages.
- Confirm the runner can reach the analyzer registry.
How to prevent it
- Define the stages the security templates expect (test, dast).
- Always set a DAST target URL for DAST scans.
- Pin analyzer versions and ensure registry reachability.