Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
3035ec14
Commit
3035ec14
authored
Mar 22, 2021
by
Michael Eddington
Committed by
Jan Provaznik
Mar 22, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update DAST CI template to include new DAST API analyzer
parent
da278bda
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
355 additions
and
0 deletions
+355
-0
ee/changelogs/unreleased/284683-add-peach-api-to-dast-tmplt.yml
...ngelogs/unreleased/284683-add-peach-api-to-dast-tmplt.yml
+5
-0
ee/spec/lib/gitlab/ci/templates/dast_latest_gitlab_ci_yaml_spec.rb
...ib/gitlab/ci/templates/dast_latest_gitlab_ci_yaml_spec.rb
+264
-0
lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml
lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml
+86
-0
No files found.
ee/changelogs/unreleased/284683-add-peach-api-to-dast-tmplt.yml
0 → 100644
View file @
3035ec14
---
title
:
Beta version of DAST API scanner API Security
merge_request
:
51824
author
:
type
:
added
ee/spec/lib/gitlab/ci/templates/dast_latest_gitlab_ci_yaml_spec.rb
0 → 100644
View file @
3035ec14
# frozen_string_literal: true
require
'spec_helper'
RSpec
.
shared_examples
'includes no jobs'
do
it
'includes no jobs'
do
expect
{
pipeline
}.
to
raise_error
(
Ci
::
CreatePipelineService
::
CreateError
,
'No stages / jobs for this pipeline.'
)
end
end
RSpec
.
shared_examples
'includes dast job'
do
it
'includes dast job'
do
expect
(
build_names
).
to
match_array
(
%w[dast]
)
end
end
RSpec
.
shared_examples
'includes dast_api job'
do
it
'includes dast_api job'
do
expect
(
build_names
).
to
match_array
(
%w[dast_api]
)
end
end
RSpec
.
describe
'DAST.latest.gitlab-ci.yml'
do
subject
(
:template
)
{
Gitlab
::
Template
::
GitlabCiYmlTemplate
.
find
(
'DAST.latest'
)
}
describe
'the created pipeline'
do
let
(
:default_branch
)
{
'master'
}
let
(
:pipeline_branch
)
{
default_branch
}
let
(
:project
)
{
create
(
:project
,
:custom_repo
,
files:
{
'README.txt'
=>
''
})
}
let
(
:user
)
{
project
.
owner
}
let
(
:service
)
{
Ci
::
CreatePipelineService
.
new
(
project
,
user
,
ref:
pipeline_branch
)
}
let
(
:pipeline
)
{
service
.
execute!
(
:push
)
}
let
(
:build_names
)
{
pipeline
.
builds
.
pluck
(
:name
)
}
let
(
:ci_pipeline_yaml
)
{
"stages: [
\"
dast
\"
]
\n
"
}
specify
{
expect
(
template
).
not_to
be_nil
}
context
'when ci yaml is just template'
do
before
do
stub_ci_pipeline_yaml_file
(
template
.
content
)
allow_next_instance_of
(
Ci
::
BuildScheduleWorker
)
do
|
worker
|
allow
(
worker
).
to
receive
(
:perform
).
and_return
(
true
)
end
allow
(
project
).
to
receive
(
:default_branch
).
and_return
(
default_branch
)
end
context
'when project has no license'
do
it
'includes no jobs'
do
expect
(
build_names
).
to
be_empty
end
end
end
context
'when stages includes dast'
do
before
do
stub_ci_pipeline_yaml_file
(
ci_pipeline_yaml
+
template
.
content
)
allow_next_instance_of
(
Ci
::
BuildScheduleWorker
)
do
|
worker
|
allow
(
worker
).
to
receive
(
:perform
).
and_return
(
true
)
end
allow
(
project
).
to
receive
(
:default_branch
).
and_return
(
default_branch
)
end
context
'when project has no license'
do
include_examples
'includes no jobs'
end
context
'when project has cluster'
do
let
(
:cluster
)
{
create
(
:cluster
,
:project
,
:provided_by_gcp
,
projects:
[
project
])
}
context
'by default'
do
before
do
allow
(
cluster
).
to
receive
(
:active?
).
and_return
(
true
)
end
include_examples
'includes no jobs'
end
context
'when project has Ultimate license'
do
let
(
:license
)
{
create
(
:license
,
plan:
License
::
ULTIMATE_PLAN
)
}
before
do
allow
(
License
).
to
receive
(
:current
).
and_return
(
license
)
allow
(
cluster
).
to
receive
(
:active?
).
and_return
(
true
)
end
context
'when no specification provided'
do
include_examples
'includes dast job'
end
end
end
context
'when cluster is not active'
do
context
'by default'
do
include_examples
'includes no jobs'
end
context
'when DAST_WEBSITE is present'
do
before
do
create
(
:ci_variable
,
project:
project
,
key:
'DAST_WEBSITE'
,
value:
'http://example.com'
)
end
include_examples
'includes dast job'
end
context
'when DAST_API_SPECIFICATION is present'
do
before
do
create
(
:ci_variable
,
project:
project
,
key:
'DAST_API_SPECIFICATION'
,
value:
'http://my.api/api-specification.yml'
)
end
include_examples
'includes dast job'
end
context
'when DAST_API_BETA=1'
do
before
do
create
(
:ci_variable
,
project:
project
,
key:
'DAST_API_BETA'
,
value:
'1'
)
end
context
'when project has Ultimate license'
do
let
(
:license
)
{
create
(
:license
,
plan:
License
::
ULTIMATE_PLAN
)
}
before
do
allow
(
License
).
to
receive
(
:current
).
and_return
(
license
)
end
context
'when no specification provided'
do
include_examples
'includes no jobs'
end
context
'when DAST_DISABLED=1'
do
before
do
create
(
:ci_variable
,
project:
project
,
key:
'DAST_DISABLED'
,
value:
'1'
)
end
include_examples
'includes no jobs'
end
context
'when DAST_WEBSITE is present'
do
before
do
create
(
:ci_variable
,
project:
project
,
key:
'DAST_WEBSITE'
,
value:
'http://example.com'
)
end
include_examples
'includes dast job'
end
context
'when DAST_API_SPECIFICATION is present'
do
before
do
create
(
:ci_variable
,
project:
project
,
key:
'DAST_API_SPECIFICATION'
,
value:
'http://my.api/api-specification.yml'
)
end
include_examples
'includes dast_api job'
end
context
'when DAST_WEBSITE and DAST_API_SPECIFICATION is present'
do
before
do
create
(
:ci_variable
,
project:
project
,
key:
'DAST_WEBSITE'
,
value:
'http://example.com'
)
create
(
:ci_variable
,
project:
project
,
key:
'DAST_API_SPECIFICATION'
,
value:
'http://my.api/api-specification.yml'
)
end
it
'includes dast_api job'
do
expect
(
build_names
).
to
match_array
(
%w[dast_api]
)
end
end
context
'when DAST_API_OPENAPI is present'
do
before
do
create
(
:ci_variable
,
project:
project
,
key:
'DAST_API_OPENAPI'
,
value:
'http://my.api/api-specification.yml'
)
end
include_examples
'includes dast_api job'
end
context
'when DAST_API_HAR is present'
do
before
do
create
(
:ci_variable
,
project:
project
,
key:
'DAST_API_HAR'
,
value:
'http://my.api/api-specification.yml'
)
end
include_examples
'includes dast_api job'
end
context
'when DAST_API_POSTMAN_COLLECTION is present'
do
before
do
create
(
:ci_variable
,
project:
project
,
key:
'DAST_API_POSTMAN_COLLECTION'
,
value:
'http://my.api/api-specification.yml'
)
end
include_examples
'includes dast_api job'
end
end
end
context
'when project has Ultimate license'
do
let
(
:license
)
{
create
(
:license
,
plan:
License
::
ULTIMATE_PLAN
)
}
before
do
allow
(
License
).
to
receive
(
:current
).
and_return
(
license
)
end
context
'when project has cluster'
do
let
(
:cluster
)
{
create
(
:cluster
,
:project
,
:provided_by_gcp
,
projects:
[
project
])
}
context
'when DAST_DISABLED=1'
do
before
do
allow
(
cluster
).
to
receive
(
:active?
).
and_return
(
true
)
create
(
:ci_variable
,
project:
project
,
key:
'DAST_DISABLED'
,
value:
'1'
)
end
include_examples
'includes no jobs'
end
context
'when DAST_DISABLED_FOR_DEFAULT_BRANCH=1'
do
before
do
allow
(
cluster
).
to
receive
(
:active?
).
and_return
(
true
)
create
(
:ci_variable
,
project:
project
,
key:
'DAST_DISABLED_FOR_DEFAULT_BRANCH'
,
value:
'1'
)
end
context
'when on default branch'
do
include_examples
'includes no jobs'
end
context
'when on feature branch'
do
let
(
:pipeline_branch
)
{
'patch-1'
}
before
do
project
.
repository
.
create_branch
(
pipeline_branch
)
end
it
'includes dast job'
do
expect
(
build_names
).
to
match_array
(
%w[dast]
)
end
end
end
context
'when REVIEW_DISABLED=true'
do
before
do
allow
(
cluster
).
to
receive
(
:active?
).
and_return
(
true
)
create
(
:ci_variable
,
project:
project
,
key:
'REVIEW_DISABLED'
,
value:
'true'
)
end
context
'when on default branch'
do
include_examples
'includes dast job'
end
context
'when on feature branch'
do
let
(
:pipeline_branch
)
{
'patch-1'
}
before
do
project
.
repository
.
create_branch
(
pipeline_branch
)
end
include_examples
'includes no jobs'
end
end
end
end
end
end
end
end
lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml
View file @
3035ec14
...
...
@@ -9,6 +9,19 @@ variables:
# Setting this variable will affect all Security templates
# (SAST, Dependency Scanning, ...)
SECURE_ANALYZERS_PREFIX
:
"
registry.gitlab.com/gitlab-org/security-products/analyzers"
#
DAST_API_PROFILE
:
Full
DAST_API_VERSION
:
latest
DAST_API_CONFIG
:
.gitlab-dast-api.yml
DAST_API_TIMEOUT
:
30
DAST_API_REPORT
:
gl-dast-api-report.json
DAST_API_REPORT_ASSET_PATH
:
assets
#
# Wait up to 5 minutes for API Security and target url to become
# available (non 500 response to HTTP(s))
DAST_API_SERVICE_START_TIMEOUT
:
"
300"
#
DAST_API_IMAGE
:
registry.gitlab.com/gitlab-org/security-products/analyzers/api-fuzzing:${DAST_API_VERSION}-engine
dast
:
stage
:
dast
...
...
@@ -25,6 +38,11 @@ dast:
reports
:
dast
:
gl-dast-report.json
rules
:
-
if
:
$DAST_API_BETA && ( $DAST_API_SPECIFICATION ||
$DAST_API_OPENAPI ||
$DAST_API_POSTMAN_COLLECTION ||
$DAST_API_HAR )
when
:
never
-
if
:
$DAST_DISABLED
when
:
never
-
if
:
$DAST_DISABLED_FOR_DEFAULT_BRANCH &&
...
...
@@ -40,4 +58,72 @@ dast:
-
if
:
$CI_COMMIT_BRANCH &&
$DAST_WEBSITE
-
if
:
$CI_COMMIT_BRANCH &&
$DAST_API_BETA ==
null
&&
$DAST_API_SPECIFICATION
dast_api
:
stage
:
dast
image
:
name
:
$DAST_API_IMAGE
entrypoint
:
[
"
/bin/bash"
,
"
-l"
,
"
-c"
]
variables
:
API_SECURITY_MODE
:
DAST
DAST_API_NEW_REPORT
:
1
DAST_API_PROJECT
:
$CI_PROJECT_PATH
DAST_API_API
:
http://127.0.0.1:5000
DAST_API_LOG_SCANNER
:
gl-dast-api-scanner.log
TZ
:
America/Los_Angeles
allow_failure
:
true
rules
:
-
if
:
$DAST_API_BETA ==
null
when
:
never
-
if
:
$DAST_DISABLED
when
:
never
-
if
:
$DAST_DISABLED_FOR_DEFAULT_BRANCH &&
$CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
when
:
never
-
if
:
$CI_DEFAULT_BRANCH != $CI_COMMIT_REF_NAME &&
$REVIEW_DISABLED &&
$DAST_API_SPECIFICATION ==
null
&&
$DAST_API_OPENAPI ==
null
&&
$DAST_API_POSTMAN_COLLECTION ==
null
&&
$DAST_API_HAR ==
null
when
:
never
-
if
:
$DAST_API_SPECIFICATION ==
null
&&
$DAST_API_OPENAPI ==
null
&&
$DAST_API_POSTMAN_COLLECTION ==
null
&&
$DAST_API_HAR ==
null
when
:
never
-
if
:
$CI_COMMIT_BRANCH &&
$GITLAB_FEATURES =~ /\bdast\b/
script
:
#
# Run user provided pre-script
-
sh -c "$DAST_API_PRE_SCRIPT"
#
# Make sure asset path exists
-
mkdir -p $DAST_API_REPORT_ASSET_PATH
#
# Start API Security background process
-
dotnet /peach/Peach.Web.dll &> $DAST_API_LOG_SCANNER &
-
APISEC_PID=$!
#
# Start scanning
-
worker-entry
#
# Run user provided post-script
-
sh -c "$DAST_API_POST_SCRIPT"
#
# Shutdown API Security
-
kill $APISEC_PID
-
wait $APISEC_PID
#
artifacts
:
when
:
always
paths
:
-
$DAST_API_REPORT_ASSET_PATH
-
$DAST_API_REPORT
-
$DAST_API_LOG_SCANNER
-
gl-*.log
reports
:
dast
:
$DAST_API_REPORT
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment