Add IaC scanning to Security Configuration page
This adds the IaC Scanning configuration card to the Security Configuration page.
This commit is contained in:
parent
f6ddd1b367
commit
dfb26b6a88
|
@ -3,6 +3,7 @@ import { __, s__ } from '~/locale';
|
|||
|
||||
import {
|
||||
REPORT_TYPE_SAST,
|
||||
REPORT_TYPE_SAST_IAC,
|
||||
REPORT_TYPE_DAST,
|
||||
REPORT_TYPE_DAST_PROFILES,
|
||||
REPORT_TYPE_SECRET_DETECTION,
|
||||
|
@ -30,6 +31,16 @@ export const SAST_CONFIG_HELP_PATH = helpPagePath('user/application_security/sas
|
|||
anchor: 'configuration',
|
||||
});
|
||||
|
||||
export const SAST_IAC_NAME = __('Infrastructure as Code (IaC) Scanning');
|
||||
export const SAST_IAC_SHORT_NAME = s__('ciReport|IaC Scanning');
|
||||
export const SAST_IAC_DESCRIPTION = __(
|
||||
'Analyze your infrastructure as code configuration files for known vulnerabilities.',
|
||||
);
|
||||
export const SAST_IAC_HELP_PATH = helpPagePath('user/application_security/sast/index');
|
||||
export const SAST_IAC_CONFIG_HELP_PATH = helpPagePath('user/application_security/sast/index', {
|
||||
anchor: 'configuration',
|
||||
});
|
||||
|
||||
export const DAST_NAME = __('Dynamic Application Security Testing (DAST)');
|
||||
export const DAST_SHORT_NAME = s__('ciReport|DAST');
|
||||
export const DAST_DESCRIPTION = __('Analyze a review version of your web application.');
|
||||
|
@ -141,6 +152,22 @@ export const securityFeatures = [
|
|||
// https://gitlab.com/gitlab-org/gitlab/-/issues/331621
|
||||
canEnableByMergeRequest: true,
|
||||
},
|
||||
...(gon?.features?.configureIacScanningViaMr
|
||||
? [
|
||||
{
|
||||
name: SAST_IAC_NAME,
|
||||
shortName: SAST_IAC_SHORT_NAME,
|
||||
description: SAST_IAC_DESCRIPTION,
|
||||
helpPath: SAST_IAC_HELP_PATH,
|
||||
configurationHelpPath: SAST_IAC_CONFIG_HELP_PATH,
|
||||
type: REPORT_TYPE_SAST_IAC,
|
||||
|
||||
// This field will eventually come from the backend, the progress is
|
||||
// tracked in https://gitlab.com/gitlab-org/gitlab/-/issues/331621
|
||||
canEnableByMergeRequest: true,
|
||||
},
|
||||
]
|
||||
: []),
|
||||
{
|
||||
name: DAST_NAME,
|
||||
shortName: DAST_SHORT_NAME,
|
||||
|
|
|
@ -17,6 +17,7 @@ export const REPORT_FILE_TYPES = {
|
|||
* Security scan report types, as provided by the backend.
|
||||
*/
|
||||
export const REPORT_TYPE_SAST = 'sast';
|
||||
export const REPORT_TYPE_SAST_IAC = 'sast_iac';
|
||||
export const REPORT_TYPE_DAST = 'dast';
|
||||
export const REPORT_TYPE_DAST_PROFILES = 'dast_profiles';
|
||||
export const REPORT_TYPE_SECRET_DETECTION = 'secret_detection';
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
module Security
|
||||
class SecurityJobsFinder < JobsFinder
|
||||
def self.allowed_job_types
|
||||
[:sast, :dast, :dependency_scanning, :container_scanning, :secret_detection, :coverage_fuzzing, :api_fuzzing, :cluster_image_scanning]
|
||||
[:sast, :sast_iac, :dast, :dependency_scanning, :container_scanning, :secret_detection, :coverage_fuzzing, :api_fuzzing, :cluster_image_scanning]
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
name: configure_iac_scanning_via_mr
|
||||
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73155
|
||||
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/343966
|
||||
milestone: '14.5'
|
||||
type: development
|
||||
group: group::static analysis
|
||||
default_enabled: false
|
|
@ -1,5 +1,4 @@
|
|||
---
|
||||
filenames:
|
||||
- ee/app/assets/javascripts/oncall_schedules/graphql/mutations/update_oncall_schedule_rotation.mutation.graphql
|
||||
- ee/app/assets/javascripts/security_configuration/api_fuzzing/graphql/api_fuzzing_ci_configuration.query.graphql
|
||||
- ee/app/assets/javascripts/security_configuration/api_fuzzing/graphql/create_api_fuzzing_configuration.mutation.graphql
|
||||
- ee/app/assets/javascripts/security_configuration/graphql/configure_iac.mutation.graphql
|
||||
|
|
|
@ -16752,6 +16752,7 @@ Size of UI component in SAST configuration page.
|
|||
| <a id="securityreporttypeenumdast"></a>`DAST` | DAST scan report. |
|
||||
| <a id="securityreporttypeenumdependency_scanning"></a>`DEPENDENCY_SCANNING` | DEPENDENCY SCANNING scan report. |
|
||||
| <a id="securityreporttypeenumsast"></a>`SAST` | SAST scan report. |
|
||||
| <a id="securityreporttypeenumsast_iac"></a>`SAST_IAC` | SAST IAC scan report. |
|
||||
| <a id="securityreporttypeenumsecret_detection"></a>`SECRET_DETECTION` | SECRET DETECTION scan report. |
|
||||
|
||||
### `SecurityScannerType`
|
||||
|
@ -16767,6 +16768,7 @@ The type of the security scanner.
|
|||
| <a id="securityscannertypedast"></a>`DAST` | DAST scanner. |
|
||||
| <a id="securityscannertypedependency_scanning"></a>`DEPENDENCY_SCANNING` | Dependency Scanning scanner. |
|
||||
| <a id="securityscannertypesast"></a>`SAST` | SAST scanner. |
|
||||
| <a id="securityscannertypesast_iac"></a>`SAST_IAC` | Sast Iac scanner. |
|
||||
| <a id="securityscannertypesecret_detection"></a>`SECRET_DETECTION` | Secret Detection scanner. |
|
||||
|
||||
### `SentryErrorStatus`
|
||||
|
|
|
@ -1,6 +1,10 @@
|
|||
import { s__ } from '~/locale';
|
||||
import { featureToMutationMap as featureToMutationMapCE } from '~/security_configuration/components/constants';
|
||||
import { REPORT_TYPE_DEPENDENCY_SCANNING } from '~/vue_shared/security_reports/constants';
|
||||
import {
|
||||
REPORT_TYPE_SAST_IAC,
|
||||
REPORT_TYPE_DEPENDENCY_SCANNING,
|
||||
} from '~/vue_shared/security_reports/constants';
|
||||
import configureSastIacMutation from '../graphql/configure_iac.mutation.graphql';
|
||||
import configureDependencyScanningMutation from '../graphql/configure_dependency_scanning.mutation.graphql';
|
||||
|
||||
export const SMALL = 'SMALL';
|
||||
|
@ -21,6 +25,21 @@ export const CUSTOM_VALUE_MESSAGE = s__(
|
|||
|
||||
export const featureToMutationMap = {
|
||||
...featureToMutationMapCE,
|
||||
...(gon?.features?.configureIacScanningViaMr
|
||||
? {
|
||||
[REPORT_TYPE_SAST_IAC]: {
|
||||
mutationId: 'configureSastIac',
|
||||
getMutationPayload: (projectPath) => ({
|
||||
mutation: configureSastIacMutation,
|
||||
variables: {
|
||||
input: {
|
||||
projectPath,
|
||||
},
|
||||
},
|
||||
}),
|
||||
},
|
||||
}
|
||||
: {}),
|
||||
[REPORT_TYPE_DEPENDENCY_SCANNING]: {
|
||||
mutationId: 'configureDependencyScanning',
|
||||
getMutationPayload: (projectPath) => ({
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
mutation configureSastIac($input: ConfigureSastIacInput!) {
|
||||
configureSastIac(input: $input) {
|
||||
successPath
|
||||
errors
|
||||
}
|
||||
}
|
|
@ -184,6 +184,7 @@ class License < ApplicationRecord
|
|||
report_approver_rules
|
||||
requirements
|
||||
sast
|
||||
sast_iac
|
||||
sast_custom_rulesets
|
||||
sast_fp_reduction
|
||||
secret_detection
|
||||
|
|
|
@ -15,6 +15,8 @@ def add_gon_variables
|
|||
gon.subscriptions_url = ::Gitlab::SubscriptionPortal::SUBSCRIPTIONS_URL
|
||||
gon.payment_form_url = ::Gitlab::SubscriptionPortal::PAYMENT_FORM_URL
|
||||
end
|
||||
|
||||
push_frontend_feature_flag(:configure_iac_scanning_via_mr, current_user, default_enabled: :yaml)
|
||||
end
|
||||
|
||||
# Exposes if a licensed feature is available.
|
||||
|
|
|
@ -62,7 +62,7 @@
|
|||
it 'responds in json format when requested' do
|
||||
get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }
|
||||
|
||||
types = %w(sast dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing corpus_management)
|
||||
types = %w(sast sast_iac dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing corpus_management)
|
||||
|
||||
expect(response).to have_gitlab_http_status(:ok)
|
||||
expect(json_response['features'].map { |f| f['type'] }).to match_array(types)
|
||||
|
|
|
@ -84,7 +84,7 @@ def within_sast_card
|
|||
end
|
||||
|
||||
def within_dast_card
|
||||
within '[data-testid="security-testing-card"]:nth-of-type(2)' do
|
||||
within '[data-testid="security-testing-card"]:nth-of-type(3)' do
|
||||
yield
|
||||
end
|
||||
end
|
||||
|
|
|
@ -4,6 +4,6 @@
|
|||
|
||||
RSpec.describe GitlabSchema.types['SecurityScannerType'] do
|
||||
it 'exposes all security scanner types' do
|
||||
expect(described_class.values.keys).to match_array(%w[API_FUZZING CLUSTER_IMAGE_SCANNING CONTAINER_SCANNING COVERAGE_FUZZING DAST DEPENDENCY_SCANNING SAST SECRET_DETECTION])
|
||||
expect(described_class.values.keys).to match_array(%w[API_FUZZING CLUSTER_IMAGE_SCANNING CONTAINER_SCANNING COVERAGE_FUZZING DAST DEPENDENCY_SCANNING SAST SAST_IAC SECRET_DETECTION])
|
||||
end
|
||||
end
|
||||
|
|
|
@ -83,6 +83,7 @@
|
|||
expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
|
||||
security_scan(:dast, configured: true),
|
||||
security_scan(:sast, configured: true),
|
||||
security_scan(:sast_iac, configured: false),
|
||||
security_scan(:container_scanning, configured: false),
|
||||
security_scan(:cluster_image_scanning, configured: false),
|
||||
security_scan(:dependency_scanning, configured: false),
|
||||
|
@ -113,6 +114,7 @@
|
|||
expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
|
||||
security_scan(:dast, configured: false),
|
||||
security_scan(:sast, configured: false),
|
||||
security_scan(:sast_iac, configured: false),
|
||||
security_scan(:container_scanning, configured: false),
|
||||
security_scan(:cluster_image_scanning, configured: false),
|
||||
security_scan(:dependency_scanning, configured: false),
|
||||
|
@ -143,6 +145,7 @@
|
|||
expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
|
||||
security_scan(:dast, configured: false),
|
||||
security_scan(:sast, configured: false),
|
||||
security_scan(:sast_iac, configured: false),
|
||||
security_scan(:container_scanning, configured: false),
|
||||
security_scan(:cluster_image_scanning, configured: false),
|
||||
security_scan(:dependency_scanning, configured: false),
|
||||
|
@ -169,6 +172,7 @@
|
|||
expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
|
||||
security_scan(:dast, configured: false),
|
||||
security_scan(:sast, configured: false),
|
||||
security_scan(:sast_iac, configured: false),
|
||||
security_scan(:container_scanning, configured: false),
|
||||
security_scan(:cluster_image_scanning, configured: false),
|
||||
security_scan(:dependency_scanning, configured: false),
|
||||
|
@ -203,6 +207,7 @@
|
|||
security_scan(:dast, configured: true),
|
||||
security_scan(:dast_profiles, configured: true),
|
||||
security_scan(:sast, configured: true),
|
||||
security_scan(:sast_iac, configured: false),
|
||||
security_scan(:container_scanning, configured: false),
|
||||
security_scan(:cluster_image_scanning, configured: false),
|
||||
security_scan(:dependency_scanning, configured: false),
|
||||
|
@ -228,6 +233,7 @@
|
|||
security_scan(:dast, configured: false),
|
||||
security_scan(:dast_profiles, configured: true),
|
||||
security_scan(:sast, configured: true),
|
||||
security_scan(:sast_iac, configured: false),
|
||||
security_scan(:container_scanning, configured: false),
|
||||
security_scan(:cluster_image_scanning, configured: false),
|
||||
security_scan(:dependency_scanning, configured: false),
|
||||
|
@ -246,6 +252,7 @@
|
|||
security_scan(:dast, configured: true),
|
||||
security_scan(:dast_profiles, configured: true),
|
||||
security_scan(:sast, configured: true),
|
||||
security_scan(:sast_iac, configured: false),
|
||||
security_scan(:container_scanning, configured: false),
|
||||
security_scan(:cluster_image_scanning, configured: false),
|
||||
security_scan(:dependency_scanning, configured: false),
|
||||
|
|
|
@ -3927,6 +3927,9 @@ msgstr ""
|
|||
msgid "Analyze your dependencies for known vulnerabilities."
|
||||
msgstr ""
|
||||
|
||||
msgid "Analyze your infrastructure as code configuration files for known vulnerabilities."
|
||||
msgstr ""
|
||||
|
||||
msgid "Analyze your source code and git history for secrets."
|
||||
msgstr ""
|
||||
|
||||
|
@ -18288,6 +18291,9 @@ msgstr ""
|
|||
msgid "Infrastructure Registry"
|
||||
msgstr ""
|
||||
|
||||
msgid "Infrastructure as Code (IaC) Scanning"
|
||||
msgstr ""
|
||||
|
||||
msgid "InfrastructureRegistry|Copy Terraform Command"
|
||||
msgstr ""
|
||||
|
||||
|
@ -40385,6 +40391,9 @@ msgstr ""
|
|||
msgid "ciReport|Found %{issuesWithCount}"
|
||||
msgstr ""
|
||||
|
||||
msgid "ciReport|IaC Scanning"
|
||||
msgstr ""
|
||||
|
||||
msgid "ciReport|Investigate this vulnerability by creating an issue"
|
||||
msgstr ""
|
||||
|
||||
|
|
Loading…
Reference in a new issue