Merge branch '343851-iac-configure-via-mr' into 'master'

Add IaC scanning to Security Configuration page

See merge request gitlab-org/gitlab!73155

app/assets/javascripts/security_configuration/components/constants.js

@@ -3,6 +3,7 @@ import { __, s__ } from '~/locale';
 
 import {
   REPORT_TYPE_SAST,
+  REPORT_TYPE_SAST_IAC,
   REPORT_TYPE_DAST,
   REPORT_TYPE_DAST_PROFILES,
   REPORT_TYPE_SECRET_DETECTION,
@@ -30,6 +31,16 @@ export const SAST_CONFIG_HELP_PATH = helpPagePath('user/application_security/sas
   anchor: 'configuration',
 });
 
+export const SAST_IAC_NAME = __('Infrastructure as Code (IaC) Scanning');
+export const SAST_IAC_SHORT_NAME = s__('ciReport|IaC Scanning');
+export const SAST_IAC_DESCRIPTION = __(
+  'Analyze your infrastructure as code configuration files for known vulnerabilities.',
+);
+export const SAST_IAC_HELP_PATH = helpPagePath('user/application_security/sast/index');
+export const SAST_IAC_CONFIG_HELP_PATH = helpPagePath('user/application_security/sast/index', {
+  anchor: 'configuration',
+});
+
 export const DAST_NAME = __('Dynamic Application Security Testing (DAST)');
 export const DAST_SHORT_NAME = s__('ciReport|DAST');
 export const DAST_DESCRIPTION = __('Analyze a review version of your web application.');
@@ -141,6 +152,22 @@ export const securityFeatures = [
     // https://gitlab.com/gitlab-org/gitlab/-/issues/331621
     canEnableByMergeRequest: true,
   },
+  ...(gon?.features?.configureIacScanningViaMr
+    ? [
+        {
+          name: SAST_IAC_NAME,
+          shortName: SAST_IAC_SHORT_NAME,
+          description: SAST_IAC_DESCRIPTION,
+          helpPath: SAST_IAC_HELP_PATH,
+          configurationHelpPath: SAST_IAC_CONFIG_HELP_PATH,
+          type: REPORT_TYPE_SAST_IAC,
+
+          // This field will eventually come from the backend, the progress is
+          // tracked in https://gitlab.com/gitlab-org/gitlab/-/issues/331621
+          canEnableByMergeRequest: true,
+        },
+      ]
+    : []),
   {
     name: DAST_NAME,
     shortName: DAST_SHORT_NAME,

app/assets/javascripts/vue_shared/security_reports/constants.js

@@ -17,6 +17,7 @@ export const REPORT_FILE_TYPES = {
  * Security scan report types, as provided by the backend.
  */
 export const REPORT_TYPE_SAST = 'sast';
+export const REPORT_TYPE_SAST_IAC = 'sast_iac';
 export const REPORT_TYPE_DAST = 'dast';
 export const REPORT_TYPE_DAST_PROFILES = 'dast_profiles';
 export const REPORT_TYPE_SECRET_DETECTION = 'secret_detection';

app/finders/security/security_jobs_finder.rb

@@ -13,7 +13,7 @@
 module Security
   class SecurityJobsFinder < JobsFinder
     def self.allowed_job_types
-      [:sast, :dast, :dependency_scanning, :container_scanning, :secret_detection, :coverage_fuzzing, :api_fuzzing, :cluster_image_scanning]
+      [:sast, :sast_iac, :dast, :dependency_scanning, :container_scanning, :secret_detection, :coverage_fuzzing, :api_fuzzing, :cluster_image_scanning]
     end
   end
 end

config/feature_flags/development/configure_iac_scanning_via_mr.yml

+---
+name: configure_iac_scanning_via_mr
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73155
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/343966
+milestone: '14.5'
+type: development
+group: group::static analysis
+default_enabled: false

config/known_invalid_graphql_queries.yml

 ---
 filenames:
   - ee/app/assets/javascripts/oncall_schedules/graphql/mutations/update_oncall_schedule_rotation.mutation.graphql
-  - ee/app/assets/javascripts/security_configuration/api_fuzzing/graphql/api_fuzzing_ci_configuration.query.graphql
-  - ee/app/assets/javascripts/security_configuration/api_fuzzing/graphql/create_api_fuzzing_configuration.mutation.graphql
+  - ee/app/assets/javascripts/security_configuration/graphql/configure_iac.mutation.graphql

doc/api/graphql/reference/index.md

@@ -16755,6 +16755,7 @@ Size of UI component in SAST configuration page.
 | <a id="securityreporttypeenumdast"></a>`DAST` | DAST scan report. |
 | <a id="securityreporttypeenumdependency_scanning"></a>`DEPENDENCY_SCANNING` | DEPENDENCY SCANNING scan report. |
 | <a id="securityreporttypeenumsast"></a>`SAST` | SAST scan report. |
+| <a id="securityreporttypeenumsast_iac"></a>`SAST_IAC` | SAST IAC scan report. |
 | <a id="securityreporttypeenumsecret_detection"></a>`SECRET_DETECTION` | SECRET DETECTION scan report. |
 
 ### `SecurityScannerType`
@@ -16770,6 +16771,7 @@ The type of the security scanner.
 | <a id="securityscannertypedast"></a>`DAST` | DAST scanner. |
 | <a id="securityscannertypedependency_scanning"></a>`DEPENDENCY_SCANNING` | Dependency Scanning scanner. |
 | <a id="securityscannertypesast"></a>`SAST` | SAST scanner. |
+| <a id="securityscannertypesast_iac"></a>`SAST_IAC` | Sast Iac scanner. |
 | <a id="securityscannertypesecret_detection"></a>`SECRET_DETECTION` | Secret Detection scanner. |
 
 ### `SentryErrorStatus`

ee/app/assets/javascripts/security_configuration/components/constants.js

 import { s__ } from '~/locale';
 import { featureToMutationMap as featureToMutationMapCE } from '~/security_configuration/components/constants';
-import { REPORT_TYPE_DEPENDENCY_SCANNING } from '~/vue_shared/security_reports/constants';
+import {
+  REPORT_TYPE_SAST_IAC,
+  REPORT_TYPE_DEPENDENCY_SCANNING,
+} from '~/vue_shared/security_reports/constants';
+import configureSastIacMutation from '../graphql/configure_iac.mutation.graphql';
 import configureDependencyScanningMutation from '../graphql/configure_dependency_scanning.mutation.graphql';
 
 export const SMALL = 'SMALL';
@@ -21,6 +25,21 @@ export const CUSTOM_VALUE_MESSAGE = s__(
 
 export const featureToMutationMap = {
   ...featureToMutationMapCE,
+  ...(gon?.features?.configureIacScanningViaMr
+    ? {
+        [REPORT_TYPE_SAST_IAC]: {
+          mutationId: 'configureSastIac',
+          getMutationPayload: (projectPath) => ({
+            mutation: configureSastIacMutation,
+            variables: {
+              input: {
+                projectPath,
+              },
+            },
+          }),
+        },
+      }
+    : {}),
   [REPORT_TYPE_DEPENDENCY_SCANNING]: {
     mutationId: 'configureDependencyScanning',
     getMutationPayload: (projectPath) => ({

ee/app/assets/javascripts/security_configuration/graphql/configure_iac.mutation.graphql

+mutation configureSastIac($input: ConfigureSastIacInput!) {
+  configureSastIac(input: $input) {
+    successPath
+    errors
+  }
+}

ee/app/models/license.rb

@@ -185,6 +185,7 @@ class License < ApplicationRecord
     report_approver_rules
     requirements
     sast
+    sast_iac
     sast_custom_rulesets
     sast_fp_reduction
     secret_detection

ee/lib/ee/gitlab/gon_helper.rb

@@ -15,6 +15,8 @@ module EE
           gon.subscriptions_url = ::Gitlab::SubscriptionPortal::SUBSCRIPTIONS_URL
           gon.payment_form_url  = ::Gitlab::SubscriptionPortal::PAYMENT_FORM_URL
         end
+
+        push_frontend_feature_flag(:configure_iac_scanning_via_mr, current_user, default_enabled: :yaml)
       end
 
       # Exposes if a licensed feature is available.

ee/spec/controllers/projects/security/configuration_controller_spec.rb

@@ -62,7 +62,7 @@ RSpec.describe Projects::Security::ConfigurationController do
       it 'responds in json format when requested' do
         get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }
 
-        types = %w(sast dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing corpus_management)
+        types = %w(sast sast_iac dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing corpus_management)
 
         expect(response).to have_gitlab_http_status(:ok)
         expect(json_response['features'].map { |f| f['type'] }).to match_array(types)

ee/spec/features/projects/security/user_views_security_configuration_spec.rb

@@ -17,7 +17,7 @@ RSpec.describe 'User sees Security Configuration table', :js do
 
   context 'with security_dashboard feature available' do
     before do
-      stub_licensed_features(security_dashboard: true, sast: true, dast: true)
+      stub_licensed_features(security_dashboard: true, sast: true, sast_iac: true, dast: true)
     end
 
     context 'with no SAST report' do
@@ -48,6 +48,23 @@ RSpec.describe 'User sees Security Configuration table', :js do
       end
     end
 
+    context 'enabling SAST IaC' do
+      it 'redirects to new MR page' do
+        visit(project_security_configuration_path(project))
+
+        within_sast_iac_card do
+          expect(page).to have_text('Infrastructure as Code (IaC) Scanning')
+          expect(page).to have_text('Not enabled')
+          expect(page).to have_button('Configure via Merge Request')
+
+          click_button 'Configure via Merge Request'
+          wait_for_requests
+
+          expect(current_path).to eq(project_new_merge_request_path(project))
+        end
+      end
+    end
+
     context 'with no DAST report' do
       it 'shows DAST is not enabled' do
         visit(project_security_configuration_path(project))
@@ -74,6 +91,24 @@ RSpec.describe 'User sees Security Configuration table', :js do
           expect(page).to have_link('Configure DAST')
         end
       end
+
+      context 'with configure_iac_scanning_via_mr feature flag off' do
+        before do
+          stub_feature_flags(configure_iac_scanning_via_mr: false)
+        end
+
+        it 'shows DAST card at the second position and no IaC Scanning card' do
+          visit(project_security_configuration_path(project))
+
+          within '[data-testid="security-testing-card"]:nth-of-type(2)' do
+            expect(page).to have_text('DAST')
+            expect(page).to have_text('Enabled')
+            expect(page).to have_link('Configure DAST')
+          end
+
+          expect(page).not_to have_text('Infrastructure as Code (IaC) Scanning')
+        end
+      end
     end
   end
 
@@ -83,9 +118,15 @@ RSpec.describe 'User sees Security Configuration table', :js do
     end
   end
 
-  def within_dast_card
+  def within_sast_iac_card
     within '[data-testid="security-testing-card"]:nth-of-type(2)' do
       yield
     end
   end
+
+  def within_dast_card
+    within '[data-testid="security-testing-card"]:nth-of-type(3)' do
+      yield
+    end
+  end
 end

ee/spec/graphql/types/security_scanner_type_enum_spec.rb

@@ -4,6 +4,6 @@ require 'spec_helper'
 
 RSpec.describe GitlabSchema.types['SecurityScannerType'] do
   it 'exposes all security scanner types' do
-    expect(described_class.values.keys).to match_array(%w[API_FUZZING CLUSTER_IMAGE_SCANNING CONTAINER_SCANNING COVERAGE_FUZZING DAST DEPENDENCY_SCANNING SAST SECRET_DETECTION])
+    expect(described_class.values.keys).to match_array(%w[API_FUZZING CLUSTER_IMAGE_SCANNING CONTAINER_SCANNING COVERAGE_FUZZING DAST DEPENDENCY_SCANNING SAST SAST_IAC SECRET_DETECTION])
   end
 end

ee/spec/presenters/projects/security/configuration_presenter_spec.rb

@@ -83,6 +83,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
         expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
           security_scan(:dast, configured: true),
           security_scan(:sast, configured: true),
+          security_scan(:sast_iac, configured: false),
           security_scan(:container_scanning, configured: false),
           security_scan(:cluster_image_scanning, configured: false),
           security_scan(:dependency_scanning, configured: false),
@@ -113,6 +114,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
         expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
           security_scan(:dast, configured: false),
           security_scan(:sast, configured: false),
+          security_scan(:sast_iac, configured: false),
           security_scan(:container_scanning, configured: false),
           security_scan(:cluster_image_scanning, configured: false),
           security_scan(:dependency_scanning, configured: false),
@@ -143,6 +145,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
         expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
           security_scan(:dast, configured: false),
           security_scan(:sast, configured: false),
+          security_scan(:sast_iac, configured: false),
           security_scan(:container_scanning, configured: false),
           security_scan(:cluster_image_scanning, configured: false),
           security_scan(:dependency_scanning, configured: false),
@@ -169,6 +172,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
         expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
           security_scan(:dast, configured: false),
           security_scan(:sast, configured: false),
+          security_scan(:sast_iac, configured: false),
           security_scan(:container_scanning, configured: false),
           security_scan(:cluster_image_scanning, configured: false),
           security_scan(:dependency_scanning, configured: false),
@@ -203,6 +207,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
           security_scan(:dast, configured: true),
           security_scan(:dast_profiles, configured: true),
           security_scan(:sast, configured: true),
+          security_scan(:sast_iac, configured: false),
           security_scan(:container_scanning, configured: false),
           security_scan(:cluster_image_scanning, configured: false),
           security_scan(:dependency_scanning, configured: false),
@@ -228,6 +233,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
           security_scan(:dast, configured: false),
           security_scan(:dast_profiles, configured: true),
           security_scan(:sast, configured: true),
+          security_scan(:sast_iac, configured: false),
           security_scan(:container_scanning, configured: false),
           security_scan(:cluster_image_scanning, configured: false),
           security_scan(:dependency_scanning, configured: false),
@@ -246,6 +252,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
           security_scan(:dast, configured: true),
           security_scan(:dast_profiles, configured: true),
           security_scan(:sast, configured: true),
+          security_scan(:sast_iac, configured: false),
           security_scan(:container_scanning, configured: false),
           security_scan(:cluster_image_scanning, configured: false),
           security_scan(:dependency_scanning, configured: false),

locale/gitlab.pot

@@ -3929,6 +3929,9 @@ msgstr ""
 msgid "Analyze your dependencies for known vulnerabilities."
 msgstr ""
 
+msgid "Analyze your infrastructure as code configuration files for known vulnerabilities."
+msgstr ""
+
 msgid "Analyze your source code and git history for secrets."
 msgstr ""
 
@@ -18326,6 +18329,9 @@ msgstr ""
 msgid "Infrastructure Registry"
 msgstr ""
 
+msgid "Infrastructure as Code (IaC) Scanning"
+msgstr ""
+
 msgid "InfrastructureRegistry|Copy Terraform Command"
 msgstr ""
 
@@ -40423,6 +40429,9 @@ msgstr ""
 msgid "ciReport|Found %{issuesWithCount}"
 msgstr ""
 
+msgid "ciReport|IaC Scanning"
+msgstr ""
+
 msgid "ciReport|Investigate this vulnerability by creating an issue"
 msgstr ""