Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
b7e3049d
Commit
b7e3049d
authored
Mar 31, 2021
by
Can Eldem
Committed by
Markus Koller
Mar 31, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Limit security policy to a file
Allow only 5 policy to be enabled
parent
2516aeb2
Changes
3
Expand all
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
215 additions
and
137 deletions
+215
-137
ee/app/models/security/orchestration_policy_configuration.rb
ee/app/models/security/orchestration_policy_configuration.rb
+14
-12
ee/spec/fixtures/security_orchestration.yml
ee/spec/fixtures/security_orchestration.yml
+77
-0
ee/spec/models/security/orchestration_policy_configuration_spec.rb
...odels/security/orchestration_policy_configuration_spec.rb
+124
-125
No files found.
ee/app/models/security/orchestration_policy_configuration.rb
View file @
b7e3049d
...
...
@@ -6,7 +6,8 @@ module Security
self
.
table_name
=
'security_orchestration_policy_configurations'
POLICIES_BASE_PATH
=
'.gitlab/security-policies/'
POLICY_PATH
=
'.gitlab/security-policies/policy.yml'
POLICY_LIMIT
=
5
ON_DEMAND_SCANS
=
%w[dast]
.
freeze
...
...
@@ -23,12 +24,7 @@ module Security
def
active_policies
return
[]
unless
enabled?
security_policy_management_project
.
repository
.
ls_files
(
security_policy_management_project
.
default_branch_or_master
)
.
grep
(
/\A
#{
Regexp
.
escape
(
POLICIES_BASE_PATH
)
}
.+\.(yml|yaml)\z/
)
.
map
{
|
path
|
policy_at
(
path
)
}
.
select
{
|
config
|
config
[
:enabled
]
}
scan_execution_policy_at
(
POLICY_PATH
).
select
{
|
config
|
config
[
:enabled
]
}.
first
(
POLICY_LIMIT
)
end
def
on_demand_scan_actions
(
branch
)
...
...
@@ -48,6 +44,14 @@ module Security
private
def
policy_repo
security_policy_management_project
.
repository
end
def
default_branch_or_master
security_policy_management_project
.
default_branch_or_master
end
def
active_policy_names_with_dast_profiles
strong_memoize
(
:active_policy_names_with_dast_profiles
)
do
profiles
=
{
site_profiles:
Hash
.
new
{
Set
.
new
},
scanner_profiles:
Hash
.
new
{
Set
.
new
}
}
...
...
@@ -65,11 +69,9 @@ module Security
end
end
def
policy_at
(
path
)
security_policy_management_project
.
repository
.
blob_data_at
(
security_policy_management_project
.
default_branch_or_master
,
path
)
.
then
{
|
config
|
Gitlab
::
Config
::
Loader
::
Yaml
.
new
(
config
).
load!
}
def
scan_execution_policy_at
(
path
)
policy_repo
.
blob_data_at
(
default_branch_or_master
,
path
)
.
then
{
|
config
|
Gitlab
::
Config
::
Loader
::
Yaml
.
new
(
config
).
load!
.
fetch
(
:scan_execution_policy
,
[])
}
end
def
applicable_for_branch?
(
policy
,
ref
)
...
...
ee/spec/fixtures/security_orchestration.yml
0 → 100644
View file @
b7e3049d
scan_execution_policy
:
-
name
:
Run DAST in every pipeline
description
:
This policy enforces to run DAST for every pipeline within the project
enabled
:
true
rules
:
-
type
:
pipeline
branches
:
-
"
production"
actions
:
-
scan
:
dast
site_profile
:
Site Profile
scanner_profile
:
Scanner Profile
-
name
:
Run DAST in every pipeline_v1
description
:
This policy enforces to run DAST for every pipeline within the project
enabled
:
true
rules
:
-
type
:
pipeline
branches
:
-
"
master"
actions
:
-
scan
:
dast
site_profile
:
Site Profile
scanner_profile
:
Scanner Profile
-
name
:
Disabled policy
description
:
This policy is disabled
enabled
:
false
rules
:
[]
actions
:
[]
-
name
:
Disabled policy_v2
description
:
This policy is disabled v2
enabled
:
false
rules
:
[]
actions
:
[]
-
name
:
Run DAST in every pipeline_v3
description
:
This policy enforces to run DAST for every pipeline within the project
enabled
:
true
rules
:
-
type
:
pipeline
branches
:
-
"
master"
actions
:
-
scan
:
dast
site_profile
:
Site Profile
scanner_profile
:
Scanner Profile
-
name
:
Run DAST in every pipeline_v4
description
:
This policy enforces to run DAST for every pipeline within the project
enabled
:
true
rules
:
-
type
:
pipeline
branches
:
-
"
master"
actions
:
-
scan
:
dast
site_profile
:
Site Profile
scanner_profile
:
Scanner Profile
-
name
:
Run DAST in every pipeline_v5
description
:
This policy enforces to run DAST for every pipeline within the project
enabled
:
true
rules
:
-
type
:
pipeline
branches
:
-
"
master"
actions
:
-
scan
:
dast
site_profile
:
Site Profile
scanner_profile
:
Scanner Profile
-
name
:
Run DAST in every pipeline_v6
description
:
This policy enforces to run DAST for every pipeline within the project
enabled
:
true
rules
:
-
type
:
pipeline
branches
:
-
"
master"
actions
:
-
scan
:
dast
site_profile
:
Site Profile
scanner_profile
:
Scanner Profile
\ No newline at end of file
ee/spec/models/security/orchestration_policy_configuration_spec.rb
View file @
b7e3049d
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment