Commit 6749959d authored by Ezekiel Kigbo's avatar Ezekiel Kigbo

Merge branch '343851-iac-configure-via-mr' into 'master'

Add IaC scanning to Security Configuration page

See merge request gitlab-org/gitlab!73155
parents 1c1a006d 2a3c1c59
...@@ -3,6 +3,7 @@ import { __, s__ } from '~/locale'; ...@@ -3,6 +3,7 @@ import { __, s__ } from '~/locale';
import { import {
REPORT_TYPE_SAST, REPORT_TYPE_SAST,
REPORT_TYPE_SAST_IAC,
REPORT_TYPE_DAST, REPORT_TYPE_DAST,
REPORT_TYPE_DAST_PROFILES, REPORT_TYPE_DAST_PROFILES,
REPORT_TYPE_SECRET_DETECTION, REPORT_TYPE_SECRET_DETECTION,
...@@ -30,6 +31,16 @@ export const SAST_CONFIG_HELP_PATH = helpPagePath('user/application_security/sas ...@@ -30,6 +31,16 @@ export const SAST_CONFIG_HELP_PATH = helpPagePath('user/application_security/sas
anchor: 'configuration', anchor: 'configuration',
}); });
export const SAST_IAC_NAME = __('Infrastructure as Code (IaC) Scanning');
export const SAST_IAC_SHORT_NAME = s__('ciReport|IaC Scanning');
export const SAST_IAC_DESCRIPTION = __(
'Analyze your infrastructure as code configuration files for known vulnerabilities.',
);
export const SAST_IAC_HELP_PATH = helpPagePath('user/application_security/sast/index');
export const SAST_IAC_CONFIG_HELP_PATH = helpPagePath('user/application_security/sast/index', {
anchor: 'configuration',
});
export const DAST_NAME = __('Dynamic Application Security Testing (DAST)'); export const DAST_NAME = __('Dynamic Application Security Testing (DAST)');
export const DAST_SHORT_NAME = s__('ciReport|DAST'); export const DAST_SHORT_NAME = s__('ciReport|DAST');
export const DAST_DESCRIPTION = __('Analyze a review version of your web application.'); export const DAST_DESCRIPTION = __('Analyze a review version of your web application.');
...@@ -141,6 +152,22 @@ export const securityFeatures = [ ...@@ -141,6 +152,22 @@ export const securityFeatures = [
// https://gitlab.com/gitlab-org/gitlab/-/issues/331621 // https://gitlab.com/gitlab-org/gitlab/-/issues/331621
canEnableByMergeRequest: true, canEnableByMergeRequest: true,
}, },
...(gon?.features?.configureIacScanningViaMr
? [
{
name: SAST_IAC_NAME,
shortName: SAST_IAC_SHORT_NAME,
description: SAST_IAC_DESCRIPTION,
helpPath: SAST_IAC_HELP_PATH,
configurationHelpPath: SAST_IAC_CONFIG_HELP_PATH,
type: REPORT_TYPE_SAST_IAC,
// This field will eventually come from the backend, the progress is
// tracked in https://gitlab.com/gitlab-org/gitlab/-/issues/331621
canEnableByMergeRequest: true,
},
]
: []),
{ {
name: DAST_NAME, name: DAST_NAME,
shortName: DAST_SHORT_NAME, shortName: DAST_SHORT_NAME,
......
...@@ -17,6 +17,7 @@ export const REPORT_FILE_TYPES = { ...@@ -17,6 +17,7 @@ export const REPORT_FILE_TYPES = {
* Security scan report types, as provided by the backend. * Security scan report types, as provided by the backend.
*/ */
export const REPORT_TYPE_SAST = 'sast'; export const REPORT_TYPE_SAST = 'sast';
export const REPORT_TYPE_SAST_IAC = 'sast_iac';
export const REPORT_TYPE_DAST = 'dast'; export const REPORT_TYPE_DAST = 'dast';
export const REPORT_TYPE_DAST_PROFILES = 'dast_profiles'; export const REPORT_TYPE_DAST_PROFILES = 'dast_profiles';
export const REPORT_TYPE_SECRET_DETECTION = 'secret_detection'; export const REPORT_TYPE_SECRET_DETECTION = 'secret_detection';
......
...@@ -13,7 +13,7 @@ ...@@ -13,7 +13,7 @@
module Security module Security
class SecurityJobsFinder < JobsFinder class SecurityJobsFinder < JobsFinder
def self.allowed_job_types def self.allowed_job_types
[:sast, :dast, :dependency_scanning, :container_scanning, :secret_detection, :coverage_fuzzing, :api_fuzzing, :cluster_image_scanning] [:sast, :sast_iac, :dast, :dependency_scanning, :container_scanning, :secret_detection, :coverage_fuzzing, :api_fuzzing, :cluster_image_scanning]
end end
end end
end end
---
name: configure_iac_scanning_via_mr
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73155
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/343966
milestone: '14.5'
type: development
group: group::static analysis
default_enabled: false
--- ---
filenames: filenames:
- ee/app/assets/javascripts/oncall_schedules/graphql/mutations/update_oncall_schedule_rotation.mutation.graphql - ee/app/assets/javascripts/oncall_schedules/graphql/mutations/update_oncall_schedule_rotation.mutation.graphql
- ee/app/assets/javascripts/security_configuration/api_fuzzing/graphql/api_fuzzing_ci_configuration.query.graphql - ee/app/assets/javascripts/security_configuration/graphql/configure_iac.mutation.graphql
- ee/app/assets/javascripts/security_configuration/api_fuzzing/graphql/create_api_fuzzing_configuration.mutation.graphql
...@@ -16755,6 +16755,7 @@ Size of UI component in SAST configuration page. ...@@ -16755,6 +16755,7 @@ Size of UI component in SAST configuration page.
| <a id="securityreporttypeenumdast"></a>`DAST` | DAST scan report. | | <a id="securityreporttypeenumdast"></a>`DAST` | DAST scan report. |
| <a id="securityreporttypeenumdependency_scanning"></a>`DEPENDENCY_SCANNING` | DEPENDENCY SCANNING scan report. | | <a id="securityreporttypeenumdependency_scanning"></a>`DEPENDENCY_SCANNING` | DEPENDENCY SCANNING scan report. |
| <a id="securityreporttypeenumsast"></a>`SAST` | SAST scan report. | | <a id="securityreporttypeenumsast"></a>`SAST` | SAST scan report. |
| <a id="securityreporttypeenumsast_iac"></a>`SAST_IAC` | SAST IAC scan report. |
| <a id="securityreporttypeenumsecret_detection"></a>`SECRET_DETECTION` | SECRET DETECTION scan report. | | <a id="securityreporttypeenumsecret_detection"></a>`SECRET_DETECTION` | SECRET DETECTION scan report. |
### `SecurityScannerType` ### `SecurityScannerType`
...@@ -16770,6 +16771,7 @@ The type of the security scanner. ...@@ -16770,6 +16771,7 @@ The type of the security scanner.
| <a id="securityscannertypedast"></a>`DAST` | DAST scanner. | | <a id="securityscannertypedast"></a>`DAST` | DAST scanner. |
| <a id="securityscannertypedependency_scanning"></a>`DEPENDENCY_SCANNING` | Dependency Scanning scanner. | | <a id="securityscannertypedependency_scanning"></a>`DEPENDENCY_SCANNING` | Dependency Scanning scanner. |
| <a id="securityscannertypesast"></a>`SAST` | SAST scanner. | | <a id="securityscannertypesast"></a>`SAST` | SAST scanner. |
| <a id="securityscannertypesast_iac"></a>`SAST_IAC` | Sast Iac scanner. |
| <a id="securityscannertypesecret_detection"></a>`SECRET_DETECTION` | Secret Detection scanner. | | <a id="securityscannertypesecret_detection"></a>`SECRET_DETECTION` | Secret Detection scanner. |
### `SentryErrorStatus` ### `SentryErrorStatus`
......
import { s__ } from '~/locale'; import { s__ } from '~/locale';
import { featureToMutationMap as featureToMutationMapCE } from '~/security_configuration/components/constants'; import { featureToMutationMap as featureToMutationMapCE } from '~/security_configuration/components/constants';
import { REPORT_TYPE_DEPENDENCY_SCANNING } from '~/vue_shared/security_reports/constants'; import {
REPORT_TYPE_SAST_IAC,
REPORT_TYPE_DEPENDENCY_SCANNING,
} from '~/vue_shared/security_reports/constants';
import configureSastIacMutation from '../graphql/configure_iac.mutation.graphql';
import configureDependencyScanningMutation from '../graphql/configure_dependency_scanning.mutation.graphql'; import configureDependencyScanningMutation from '../graphql/configure_dependency_scanning.mutation.graphql';
export const SMALL = 'SMALL'; export const SMALL = 'SMALL';
...@@ -21,6 +25,21 @@ export const CUSTOM_VALUE_MESSAGE = s__( ...@@ -21,6 +25,21 @@ export const CUSTOM_VALUE_MESSAGE = s__(
export const featureToMutationMap = { export const featureToMutationMap = {
...featureToMutationMapCE, ...featureToMutationMapCE,
...(gon?.features?.configureIacScanningViaMr
? {
[REPORT_TYPE_SAST_IAC]: {
mutationId: 'configureSastIac',
getMutationPayload: (projectPath) => ({
mutation: configureSastIacMutation,
variables: {
input: {
projectPath,
},
},
}),
},
}
: {}),
[REPORT_TYPE_DEPENDENCY_SCANNING]: { [REPORT_TYPE_DEPENDENCY_SCANNING]: {
mutationId: 'configureDependencyScanning', mutationId: 'configureDependencyScanning',
getMutationPayload: (projectPath) => ({ getMutationPayload: (projectPath) => ({
......
mutation configureSastIac($input: ConfigureSastIacInput!) {
configureSastIac(input: $input) {
successPath
errors
}
}
...@@ -185,6 +185,7 @@ class License < ApplicationRecord ...@@ -185,6 +185,7 @@ class License < ApplicationRecord
report_approver_rules report_approver_rules
requirements requirements
sast sast
sast_iac
sast_custom_rulesets sast_custom_rulesets
sast_fp_reduction sast_fp_reduction
secret_detection secret_detection
......
...@@ -15,6 +15,8 @@ module EE ...@@ -15,6 +15,8 @@ module EE
gon.subscriptions_url = ::Gitlab::SubscriptionPortal::SUBSCRIPTIONS_URL gon.subscriptions_url = ::Gitlab::SubscriptionPortal::SUBSCRIPTIONS_URL
gon.payment_form_url = ::Gitlab::SubscriptionPortal::PAYMENT_FORM_URL gon.payment_form_url = ::Gitlab::SubscriptionPortal::PAYMENT_FORM_URL
end end
push_frontend_feature_flag(:configure_iac_scanning_via_mr, current_user, default_enabled: :yaml)
end end
# Exposes if a licensed feature is available. # Exposes if a licensed feature is available.
......
...@@ -62,7 +62,7 @@ RSpec.describe Projects::Security::ConfigurationController do ...@@ -62,7 +62,7 @@ RSpec.describe Projects::Security::ConfigurationController do
it 'responds in json format when requested' do it 'responds in json format when requested' do
get :show, params: { namespace_id: project.namespace, project_id: project, format: :json } get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }
types = %w(sast dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing corpus_management) types = %w(sast sast_iac dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing corpus_management)
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
expect(json_response['features'].map { |f| f['type'] }).to match_array(types) expect(json_response['features'].map { |f| f['type'] }).to match_array(types)
......
...@@ -17,7 +17,7 @@ RSpec.describe 'User sees Security Configuration table', :js do ...@@ -17,7 +17,7 @@ RSpec.describe 'User sees Security Configuration table', :js do
context 'with security_dashboard feature available' do context 'with security_dashboard feature available' do
before do before do
stub_licensed_features(security_dashboard: true, sast: true, dast: true) stub_licensed_features(security_dashboard: true, sast: true, sast_iac: true, dast: true)
end end
context 'with no SAST report' do context 'with no SAST report' do
...@@ -48,6 +48,23 @@ RSpec.describe 'User sees Security Configuration table', :js do ...@@ -48,6 +48,23 @@ RSpec.describe 'User sees Security Configuration table', :js do
end end
end end
context 'enabling SAST IaC' do
it 'redirects to new MR page' do
visit(project_security_configuration_path(project))
within_sast_iac_card do
expect(page).to have_text('Infrastructure as Code (IaC) Scanning')
expect(page).to have_text('Not enabled')
expect(page).to have_button('Configure via Merge Request')
click_button 'Configure via Merge Request'
wait_for_requests
expect(current_path).to eq(project_new_merge_request_path(project))
end
end
end
context 'with no DAST report' do context 'with no DAST report' do
it 'shows DAST is not enabled' do it 'shows DAST is not enabled' do
visit(project_security_configuration_path(project)) visit(project_security_configuration_path(project))
...@@ -74,6 +91,24 @@ RSpec.describe 'User sees Security Configuration table', :js do ...@@ -74,6 +91,24 @@ RSpec.describe 'User sees Security Configuration table', :js do
expect(page).to have_link('Configure DAST') expect(page).to have_link('Configure DAST')
end end
end end
context 'with configure_iac_scanning_via_mr feature flag off' do
before do
stub_feature_flags(configure_iac_scanning_via_mr: false)
end
it 'shows DAST card at the second position and no IaC Scanning card' do
visit(project_security_configuration_path(project))
within '[data-testid="security-testing-card"]:nth-of-type(2)' do
expect(page).to have_text('DAST')
expect(page).to have_text('Enabled')
expect(page).to have_link('Configure DAST')
end
expect(page).not_to have_text('Infrastructure as Code (IaC) Scanning')
end
end
end end
end end
...@@ -83,9 +118,15 @@ RSpec.describe 'User sees Security Configuration table', :js do ...@@ -83,9 +118,15 @@ RSpec.describe 'User sees Security Configuration table', :js do
end end
end end
def within_dast_card def within_sast_iac_card
within '[data-testid="security-testing-card"]:nth-of-type(2)' do within '[data-testid="security-testing-card"]:nth-of-type(2)' do
yield yield
end end
end end
def within_dast_card
within '[data-testid="security-testing-card"]:nth-of-type(3)' do
yield
end
end
end end
...@@ -4,6 +4,6 @@ require 'spec_helper' ...@@ -4,6 +4,6 @@ require 'spec_helper'
RSpec.describe GitlabSchema.types['SecurityScannerType'] do RSpec.describe GitlabSchema.types['SecurityScannerType'] do
it 'exposes all security scanner types' do it 'exposes all security scanner types' do
expect(described_class.values.keys).to match_array(%w[API_FUZZING CLUSTER_IMAGE_SCANNING CONTAINER_SCANNING COVERAGE_FUZZING DAST DEPENDENCY_SCANNING SAST SECRET_DETECTION]) expect(described_class.values.keys).to match_array(%w[API_FUZZING CLUSTER_IMAGE_SCANNING CONTAINER_SCANNING COVERAGE_FUZZING DAST DEPENDENCY_SCANNING SAST SAST_IAC SECRET_DETECTION])
end end
end end
...@@ -83,6 +83,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do ...@@ -83,6 +83,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
expect(Gitlab::Json.parse(subject[:features])).to contain_exactly( expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
security_scan(:dast, configured: true), security_scan(:dast, configured: true),
security_scan(:sast, configured: true), security_scan(:sast, configured: true),
security_scan(:sast_iac, configured: false),
security_scan(:container_scanning, configured: false), security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false), security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false), security_scan(:dependency_scanning, configured: false),
...@@ -113,6 +114,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do ...@@ -113,6 +114,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
expect(Gitlab::Json.parse(subject[:features])).to contain_exactly( expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
security_scan(:dast, configured: false), security_scan(:dast, configured: false),
security_scan(:sast, configured: false), security_scan(:sast, configured: false),
security_scan(:sast_iac, configured: false),
security_scan(:container_scanning, configured: false), security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false), security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false), security_scan(:dependency_scanning, configured: false),
...@@ -143,6 +145,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do ...@@ -143,6 +145,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
expect(Gitlab::Json.parse(subject[:features])).to contain_exactly( expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
security_scan(:dast, configured: false), security_scan(:dast, configured: false),
security_scan(:sast, configured: false), security_scan(:sast, configured: false),
security_scan(:sast_iac, configured: false),
security_scan(:container_scanning, configured: false), security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false), security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false), security_scan(:dependency_scanning, configured: false),
...@@ -169,6 +172,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do ...@@ -169,6 +172,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
expect(Gitlab::Json.parse(subject[:features])).to contain_exactly( expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
security_scan(:dast, configured: false), security_scan(:dast, configured: false),
security_scan(:sast, configured: false), security_scan(:sast, configured: false),
security_scan(:sast_iac, configured: false),
security_scan(:container_scanning, configured: false), security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false), security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false), security_scan(:dependency_scanning, configured: false),
...@@ -203,6 +207,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do ...@@ -203,6 +207,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
security_scan(:dast, configured: true), security_scan(:dast, configured: true),
security_scan(:dast_profiles, configured: true), security_scan(:dast_profiles, configured: true),
security_scan(:sast, configured: true), security_scan(:sast, configured: true),
security_scan(:sast_iac, configured: false),
security_scan(:container_scanning, configured: false), security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false), security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false), security_scan(:dependency_scanning, configured: false),
...@@ -228,6 +233,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do ...@@ -228,6 +233,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
security_scan(:dast, configured: false), security_scan(:dast, configured: false),
security_scan(:dast_profiles, configured: true), security_scan(:dast_profiles, configured: true),
security_scan(:sast, configured: true), security_scan(:sast, configured: true),
security_scan(:sast_iac, configured: false),
security_scan(:container_scanning, configured: false), security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false), security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false), security_scan(:dependency_scanning, configured: false),
...@@ -246,6 +252,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do ...@@ -246,6 +252,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
security_scan(:dast, configured: true), security_scan(:dast, configured: true),
security_scan(:dast_profiles, configured: true), security_scan(:dast_profiles, configured: true),
security_scan(:sast, configured: true), security_scan(:sast, configured: true),
security_scan(:sast_iac, configured: false),
security_scan(:container_scanning, configured: false), security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false), security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false), security_scan(:dependency_scanning, configured: false),
......
...@@ -3929,6 +3929,9 @@ msgstr "" ...@@ -3929,6 +3929,9 @@ msgstr ""
msgid "Analyze your dependencies for known vulnerabilities." msgid "Analyze your dependencies for known vulnerabilities."
msgstr "" msgstr ""
msgid "Analyze your infrastructure as code configuration files for known vulnerabilities."
msgstr ""
msgid "Analyze your source code and git history for secrets." msgid "Analyze your source code and git history for secrets."
msgstr "" msgstr ""
...@@ -18326,6 +18329,9 @@ msgstr "" ...@@ -18326,6 +18329,9 @@ msgstr ""
msgid "Infrastructure Registry" msgid "Infrastructure Registry"
msgstr "" msgstr ""
msgid "Infrastructure as Code (IaC) Scanning"
msgstr ""
msgid "InfrastructureRegistry|Copy Terraform Command" msgid "InfrastructureRegistry|Copy Terraform Command"
msgstr "" msgstr ""
...@@ -40423,6 +40429,9 @@ msgstr "" ...@@ -40423,6 +40429,9 @@ msgstr ""
msgid "ciReport|Found %{issuesWithCount}" msgid "ciReport|Found %{issuesWithCount}"
msgstr "" msgstr ""
msgid "ciReport|IaC Scanning"
msgstr ""
msgid "ciReport|Investigate this vulnerability by creating an issue" msgid "ciReport|Investigate this vulnerability by creating an issue"
msgstr "" msgstr ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment