Add IaC scanning to Security Configuration page

This adds the IaC Scanning configuration card to the Security Configuration page.
2021-10-27 10:22:08 +02:00 · 2021-10-27 10:22:08 +02:00 · dfb26b6a88
parent f6ddd1b367
commit dfb26b6a88
15 changed files with 88 additions and 7 deletions
--- a/app/assets/javascripts/security_configuration/components/constants.js
+++ b/app/assets/javascripts/security_configuration/components/constants.js
@ -3,6 +3,7 @@ import { __, s__ } from '~/locale';

 import {
  REPORT_TYPE_SAST,
+  REPORT_TYPE_SAST_IAC,
  REPORT_TYPE_DAST,
  REPORT_TYPE_DAST_PROFILES,
  REPORT_TYPE_SECRET_DETECTION,
@ -30,6 +31,16 @@ export const SAST_CONFIG_HELP_PATH = helpPagePath('user/application_security/sas
  anchor: 'configuration',
 });

+export const SAST_IAC_NAME = __('Infrastructure as Code (IaC) Scanning');
+export const SAST_IAC_SHORT_NAME = s__('ciReport|IaC Scanning');
+export const SAST_IAC_DESCRIPTION = __(
+  'Analyze your infrastructure as code configuration files for known vulnerabilities.',
+);
+export const SAST_IAC_HELP_PATH = helpPagePath('user/application_security/sast/index');
+export const SAST_IAC_CONFIG_HELP_PATH = helpPagePath('user/application_security/sast/index', {
+  anchor: 'configuration',
+});
+
 export const DAST_NAME = __('Dynamic Application Security Testing (DAST)');
 export const DAST_SHORT_NAME = s__('ciReport|DAST');
 export const DAST_DESCRIPTION = __('Analyze a review version of your web application.');
@ -141,6 +152,22 @@ export const securityFeatures = [
    // https://gitlab.com/gitlab-org/gitlab/-/issues/331621
    canEnableByMergeRequest: true,
  },
+  ...(gon?.features?.configureIacScanningViaMr
+    ? [
+        {
+          name: SAST_IAC_NAME,
+          shortName: SAST_IAC_SHORT_NAME,
+          description: SAST_IAC_DESCRIPTION,
+          helpPath: SAST_IAC_HELP_PATH,
+          configurationHelpPath: SAST_IAC_CONFIG_HELP_PATH,
+          type: REPORT_TYPE_SAST_IAC,
+
+          // This field will eventually come from the backend, the progress is
+          // tracked in https://gitlab.com/gitlab-org/gitlab/-/issues/331621
+          canEnableByMergeRequest: true,
+        },
+      ]
+    : []),
  {
    name: DAST_NAME,
    shortName: DAST_SHORT_NAME,
--- a/app/assets/javascripts/vue_shared/security_reports/constants.js
+++ b/app/assets/javascripts/vue_shared/security_reports/constants.js
@ -17,6 +17,7 @@ export const REPORT_FILE_TYPES = {
 * Security scan report types, as provided by the backend.
 */
 export const REPORT_TYPE_SAST = 'sast';
+export const REPORT_TYPE_SAST_IAC = 'sast_iac';
 export const REPORT_TYPE_DAST = 'dast';
 export const REPORT_TYPE_DAST_PROFILES = 'dast_profiles';
 export const REPORT_TYPE_SECRET_DETECTION = 'secret_detection';
--- a/app/finders/security/security_jobs_finder.rb
+++ b/app/finders/security/security_jobs_finder.rb
@ -13,7 +13,7 @@
 module Security
  class SecurityJobsFinder < JobsFinder
    def self.allowed_job_types
-      [:sast, :dast, :dependency_scanning, :container_scanning, :secret_detection, :coverage_fuzzing, :api_fuzzing, :cluster_image_scanning]
+      [:sast, :sast_iac, :dast, :dependency_scanning, :container_scanning, :secret_detection, :coverage_fuzzing, :api_fuzzing, :cluster_image_scanning]
    end
  end
 end
--- a/config/feature_flags/development/configure_iac_scanning_via_mr.yml
+++ b/config/feature_flags/development/configure_iac_scanning_via_mr.yml
@ -0,0 +1,8 @@
+---
+name: configure_iac_scanning_via_mr
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73155
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/343966
+milestone: '14.5'
+type: development
+group: group::static analysis
+default_enabled: false
--- a/config/known_invalid_graphql_queries.yml
+++ b/config/known_invalid_graphql_queries.yml
@ -1,5 +1,4 @@
 ---
 filenames:
  - ee/app/assets/javascripts/oncall_schedules/graphql/mutations/update_oncall_schedule_rotation.mutation.graphql
-  - ee/app/assets/javascripts/security_configuration/api_fuzzing/graphql/api_fuzzing_ci_configuration.query.graphql
-  - ee/app/assets/javascripts/security_configuration/api_fuzzing/graphql/create_api_fuzzing_configuration.mutation.graphql
+  - ee/app/assets/javascripts/security_configuration/graphql/configure_iac.mutation.graphql
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@ -16752,6 +16752,7 @@ Size of UI component in SAST configuration page.
 | <a id="securityreporttypeenumdast"></a>`DAST` | DAST scan report. |
 | <a id="securityreporttypeenumdependency_scanning"></a>`DEPENDENCY_SCANNING` | DEPENDENCY SCANNING scan report. |
 | <a id="securityreporttypeenumsast"></a>`SAST` | SAST scan report. |
+| <a id="securityreporttypeenumsast_iac"></a>`SAST_IAC` | SAST IAC scan report. |
 | <a id="securityreporttypeenumsecret_detection"></a>`SECRET_DETECTION` | SECRET DETECTION scan report. |

 ### `SecurityScannerType`
@ -16767,6 +16768,7 @@ The type of the security scanner.
 | <a id="securityscannertypedast"></a>`DAST` | DAST scanner. |
 | <a id="securityscannertypedependency_scanning"></a>`DEPENDENCY_SCANNING` | Dependency Scanning scanner. |
 | <a id="securityscannertypesast"></a>`SAST` | SAST scanner. |
+| <a id="securityscannertypesast_iac"></a>`SAST_IAC` | Sast Iac scanner. |
 | <a id="securityscannertypesecret_detection"></a>`SECRET_DETECTION` | Secret Detection scanner. |

 ### `SentryErrorStatus`
--- a/ee/app/assets/javascripts/security_configuration/components/constants.js
+++ b/ee/app/assets/javascripts/security_configuration/components/constants.js
@ -1,6 +1,10 @@
 import { s__ } from '~/locale';
 import { featureToMutationMap as featureToMutationMapCE } from '~/security_configuration/components/constants';
-import { REPORT_TYPE_DEPENDENCY_SCANNING } from '~/vue_shared/security_reports/constants';
+import {
+  REPORT_TYPE_SAST_IAC,
+  REPORT_TYPE_DEPENDENCY_SCANNING,
+} from '~/vue_shared/security_reports/constants';
+import configureSastIacMutation from '../graphql/configure_iac.mutation.graphql';
 import configureDependencyScanningMutation from '../graphql/configure_dependency_scanning.mutation.graphql';

 export const SMALL = 'SMALL';
@ -21,6 +25,21 @@ export const CUSTOM_VALUE_MESSAGE = s__(

 export const featureToMutationMap = {
  ...featureToMutationMapCE,
+  ...(gon?.features?.configureIacScanningViaMr
+    ? {
+        [REPORT_TYPE_SAST_IAC]: {
+          mutationId: 'configureSastIac',
+          getMutationPayload: (projectPath) => ({
+            mutation: configureSastIacMutation,
+            variables: {
+              input: {
+                projectPath,
+              },
+            },
+          }),
+        },
+      }
+    : {}),
  [REPORT_TYPE_DEPENDENCY_SCANNING]: {
    mutationId: 'configureDependencyScanning',
    getMutationPayload: (projectPath) => ({
--- a/ee/app/assets/javascripts/security_configuration/graphql/configure_iac.mutation.graphql
+++ b/ee/app/assets/javascripts/security_configuration/graphql/configure_iac.mutation.graphql
@ -0,0 +1,6 @@
+mutation configureSastIac($input: ConfigureSastIacInput!) {
+  configureSastIac(input: $input) {
+    successPath
+    errors
+  }
+}
--- a/ee/app/models/license.rb
+++ b/ee/app/models/license.rb
@ -184,6 +184,7 @@ class License < ApplicationRecord
    report_approver_rules
    requirements
    sast
+    sast_iac
    sast_custom_rulesets
    sast_fp_reduction
    secret_detection
--- a/ee/lib/ee/gitlab/gon_helper.rb
+++ b/ee/lib/ee/gitlab/gon_helper.rb
@ -15,6 +15,8 @@ def add_gon_variables
          gon.subscriptions_url = ::Gitlab::SubscriptionPortal::SUBSCRIPTIONS_URL
          gon.payment_form_url  = ::Gitlab::SubscriptionPortal::PAYMENT_FORM_URL
        end
+
+        push_frontend_feature_flag(:configure_iac_scanning_via_mr, current_user, default_enabled: :yaml)
      end

      # Exposes if a licensed feature is available.
--- a/ee/spec/controllers/projects/security/configuration_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/configuration_controller_spec.rb
@ -62,7 +62,7 @@
      it 'responds in json format when requested' do
        get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }

-        types = %w(sast dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing corpus_management)
+        types = %w(sast sast_iac dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing corpus_management)

        expect(response).to have_gitlab_http_status(:ok)
        expect(json_response['features'].map { |f| f['type'] }).to match_array(types)
--- a/ee/spec/features/projects/security/user_views_security_configuration_spec.rb
+++ b/ee/spec/features/projects/security/user_views_security_configuration_spec.rb
@ -84,7 +84,7 @@ def within_sast_card
  end

  def within_dast_card
-    within '[data-testid="security-testing-card"]:nth-of-type(2)' do
+    within '[data-testid="security-testing-card"]:nth-of-type(3)' do
      yield
    end
  end
--- a/ee/spec/graphql/types/security_scanner_type_enum_spec.rb
+++ b/ee/spec/graphql/types/security_scanner_type_enum_spec.rb
@ -4,6 +4,6 @@

 RSpec.describe GitlabSchema.types['SecurityScannerType'] do
  it 'exposes all security scanner types' do
-    expect(described_class.values.keys).to match_array(%w[API_FUZZING CLUSTER_IMAGE_SCANNING CONTAINER_SCANNING COVERAGE_FUZZING DAST DEPENDENCY_SCANNING SAST SECRET_DETECTION])
+    expect(described_class.values.keys).to match_array(%w[API_FUZZING CLUSTER_IMAGE_SCANNING CONTAINER_SCANNING COVERAGE_FUZZING DAST DEPENDENCY_SCANNING SAST SAST_IAC SECRET_DETECTION])
  end
 end
--- a/ee/spec/presenters/projects/security/configuration_presenter_spec.rb
+++ b/ee/spec/presenters/projects/security/configuration_presenter_spec.rb
@ -83,6 +83,7 @@
        expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
          security_scan(:dast, configured: true),
          security_scan(:sast, configured: true),
+          security_scan(:sast_iac, configured: false),
          security_scan(:container_scanning, configured: false),
          security_scan(:cluster_image_scanning, configured: false),
          security_scan(:dependency_scanning, configured: false),
@ -113,6 +114,7 @@
        expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
          security_scan(:dast, configured: false),
          security_scan(:sast, configured: false),
+          security_scan(:sast_iac, configured: false),
          security_scan(:container_scanning, configured: false),
          security_scan(:cluster_image_scanning, configured: false),
          security_scan(:dependency_scanning, configured: false),
@ -143,6 +145,7 @@
        expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
          security_scan(:dast, configured: false),
          security_scan(:sast, configured: false),
+          security_scan(:sast_iac, configured: false),
          security_scan(:container_scanning, configured: false),
          security_scan(:cluster_image_scanning, configured: false),
          security_scan(:dependency_scanning, configured: false),
@ -169,6 +172,7 @@
        expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
          security_scan(:dast, configured: false),
          security_scan(:sast, configured: false),
+          security_scan(:sast_iac, configured: false),
          security_scan(:container_scanning, configured: false),
          security_scan(:cluster_image_scanning, configured: false),
          security_scan(:dependency_scanning, configured: false),
@ -203,6 +207,7 @@
          security_scan(:dast, configured: true),
          security_scan(:dast_profiles, configured: true),
          security_scan(:sast, configured: true),
+          security_scan(:sast_iac, configured: false),
          security_scan(:container_scanning, configured: false),
          security_scan(:cluster_image_scanning, configured: false),
          security_scan(:dependency_scanning, configured: false),
@ -228,6 +233,7 @@
          security_scan(:dast, configured: false),
          security_scan(:dast_profiles, configured: true),
          security_scan(:sast, configured: true),
+          security_scan(:sast_iac, configured: false),
          security_scan(:container_scanning, configured: false),
          security_scan(:cluster_image_scanning, configured: false),
          security_scan(:dependency_scanning, configured: false),
@ -246,6 +252,7 @@
          security_scan(:dast, configured: true),
          security_scan(:dast_profiles, configured: true),
          security_scan(:sast, configured: true),
+          security_scan(:sast_iac, configured: false),
          security_scan(:container_scanning, configured: false),
          security_scan(:cluster_image_scanning, configured: false),
          security_scan(:dependency_scanning, configured: false),
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@ -3927,6 +3927,9 @@ msgstr ""
 msgid "Analyze your dependencies for known vulnerabilities."
 msgstr ""

+msgid "Analyze your infrastructure as code configuration files for known vulnerabilities."
+msgstr ""
+
 msgid "Analyze your source code and git history for secrets."
 msgstr ""

@ -18288,6 +18291,9 @@ msgstr ""
 msgid "Infrastructure Registry"
 msgstr ""

+msgid "Infrastructure as Code (IaC) Scanning"
+msgstr ""
+
 msgid "InfrastructureRegistry|Copy Terraform Command"
 msgstr ""

@ -40385,6 +40391,9 @@ msgstr ""
 msgid "ciReport|Found %{issuesWithCount}"
 msgstr ""

+msgid "ciReport|IaC Scanning"
+msgstr ""
+
 msgid "ciReport|Investigate this vulnerability by creating an issue"
 msgstr ""