Merge branch 'move_mutation_for_mr_merge' into 'master'

[RUN AS-IF-FOSS] Move all the changes related to reading SAST Configuration to CE

See merge request gitlab-org/gitlab!51169

ee/app/graphql/types/ci_configuration/sast/analyzers_entity_input_type.rb → app/graphql/types/ci_configuration/sast/analyzers_entity_input_type.rb

@@ -9,13 +9,13 @@ module Types
         description 'Represents the analyzers entity in SAST CI configuration'
 
         argument :name, GraphQL::STRING_TYPE, required: true,
-          description: 'Name of analyzer'
+          description: 'Name of analyzer.'
 
         argument :enabled, GraphQL::BOOLEAN_TYPE, required: true,
-          description: 'State of the analyzer'
+          description: 'State of the analyzer.'
 
         argument :variables, [::Types::CiConfiguration::Sast::EntityInputType],
-          description: 'List of variables for the analyzer',
+          description: 'List of variables for the analyzer.',
           required: false
       end
     end

ee/app/graphql/types/ci_configuration/sast/analyzers_entity_type.rb → app/graphql/types/ci_configuration/sast/analyzers_entity_type.rb

@@ -9,19 +9,19 @@ module Types
         description 'Represents an analyzer entity in SAST CI configuration'
 
         field :name, GraphQL::STRING_TYPE, null: true,
-          description: 'Name of the analyzer'
+          description: 'Name of the analyzer.'
 
         field :label, GraphQL::STRING_TYPE, null: true,
-          description: 'Analyzer label used in the config UI'
+          description: 'Analyzer label used in the config UI.'
 
         field :enabled, GraphQL::BOOLEAN_TYPE, null: true,
-          description: 'Indicates whether an analyzer is enabled'
+          description: 'Indicates whether an analyzer is enabled.'
 
         field :description, GraphQL::STRING_TYPE, null: true,
-          description: 'Analyzer description that is displayed on the form'
+          description: 'Analyzer description that is displayed on the form.'
 
         field :variables, ::Types::CiConfiguration::Sast::EntityType.connection_type, null: true,
-          description: 'List of supported variables'
+          description: 'List of supported variables.'
       end
     end
   end

ee/app/graphql/types/ci_configuration/sast/entity_input_type.rb → app/graphql/types/ci_configuration/sast/entity_input_type.rb

@@ -9,13 +9,13 @@ module Types
         description 'Represents an entity in SAST CI configuration'
 
         argument :field, GraphQL::STRING_TYPE, required: true,
-          description: 'CI keyword of entity'
+          description: 'CI keyword of entity.'
 
         argument :default_value, GraphQL::STRING_TYPE, required: true,
-          description: 'Default value that is used if value is empty'
+          description: 'Default value that is used if value is empty.'
 
         argument :value, GraphQL::STRING_TYPE, required: true,
-          description: 'Current value of the entity'
+          description: 'Current value of the entity.'
       end
     end
   end

ee/app/graphql/types/ci_configuration/sast/input_type.rb → app/graphql/types/ci_configuration/sast/input_type.rb

@@ -8,15 +8,15 @@ module Types
         description 'Represents a CI configuration of SAST'
 
         argument :global, [::Types::CiConfiguration::Sast::EntityInputType],
-          description: 'List of global entities related to SAST configuration',
+          description: 'List of global entities related to SAST configuration.',
           required: false
 
         argument :pipeline, [::Types::CiConfiguration::Sast::EntityInputType],
-          description: 'List of pipeline entities related to SAST configuration',
+          description: 'List of pipeline entities related to SAST configuration.',
           required: false
 
         argument :analyzers, [::Types::CiConfiguration::Sast::AnalyzersEntityInputType],
-          description: 'List of analyzers and related variables for the SAST configuration',
+          description: 'List of analyzers and related variables for the SAST configuration.',
           required: false
       end
     end

app/graphql/types/project_type.rb

@@ -16,6 +16,10 @@ module Types
     field :path, GraphQL::STRING_TYPE, null: false,
           description: 'Path of the project'
 
+    field :sast_ci_configuration, Types::CiConfiguration::Sast::Type, null: true,
+      calls_gitaly: true,
+      description: 'SAST CI configuration for the project'
+
     field :name_with_namespace, GraphQL::STRING_TYPE, null: false,
           description: 'Full name of the project with its namespace'
     field :name, GraphQL::STRING_TYPE, null: false,
@@ -359,6 +363,12 @@ module Types
       project.container_repositories.size
     end
 
+    def sast_ci_configuration
+      return unless Ability.allowed?(current_user, :download_code, object)
+
+      ::Security::CiConfiguration::SastParserService.new(object).configuration
+    end
+
     private
 
     def project

doc/api/graphql/reference/gitlab_schema.graphql

@@ -22102,27 +22102,27 @@ Represents an analyzer entity in SAST CI configuration
 """
 type SastCiConfigurationAnalyzersEntity {
   """
-  Analyzer description that is displayed on the form
+  Analyzer description that is displayed on the form.
   """
   description: String
 
   """
-  Indicates whether an analyzer is enabled
+  Indicates whether an analyzer is enabled.
   """
   enabled: Boolean
 
   """
-  Analyzer label used in the config UI
+  Analyzer label used in the config UI.
   """
   label: String
 
   """
-  Name of the analyzer
+  Name of the analyzer.
   """
   name: String
 
   """
-  List of supported variables
+  List of supported variables.
   """
   variables(
     """
@@ -22187,17 +22187,17 @@ Represents the analyzers entity in SAST CI configuration
 """
 input SastCiConfigurationAnalyzersEntityInput {
   """
-  State of the analyzer
+  State of the analyzer.
   """
   enabled: Boolean!
 
   """
-  Name of analyzer
+  Name of analyzer.
   """
   name: String!
 
   """
-  List of variables for the analyzer
+  List of variables for the analyzer.
   """
   variables: [SastCiConfigurationEntityInput!]
 }
@@ -22307,17 +22307,17 @@ Represents an entity in SAST CI configuration
 """
 input SastCiConfigurationEntityInput {
   """
-  Default value that is used if value is empty
+  Default value that is used if value is empty.
   """
   defaultValue: String!
 
   """
-  CI keyword of entity
+  CI keyword of entity.
   """
   field: String!
 
   """
-  Current value of the entity
+  Current value of the entity.
   """
   value: String!
 }
@@ -22327,17 +22327,17 @@ Represents a CI configuration of SAST
 """
 input SastCiConfigurationInput {
   """
-  List of analyzers and related variables for the SAST configuration
+  List of analyzers and related variables for the SAST configuration.
   """
   analyzers: [SastCiConfigurationAnalyzersEntityInput!]
 
   """
-  List of global entities related to SAST configuration
+  List of global entities related to SAST configuration.
   """
   global: [SastCiConfigurationEntityInput!]
 
   """
-  List of pipeline entities related to SAST configuration
+  List of pipeline entities related to SAST configuration.
   """
   pipeline: [SastCiConfigurationEntityInput!]
 }

doc/api/graphql/reference/gitlab_schema.json

@@ -63880,7 +63880,7 @@
           "fields": [
             {
               "name": "description",
-              "description": "Analyzer description that is displayed on the form",
+              "description": "Analyzer description that is displayed on the form.",
               "args": [
 
               ],
@@ -63894,7 +63894,7 @@
             },
             {
               "name": "enabled",
-              "description": "Indicates whether an analyzer is enabled",
+              "description": "Indicates whether an analyzer is enabled.",
               "args": [
 
               ],
@@ -63908,7 +63908,7 @@
             },
             {
               "name": "label",
-              "description": "Analyzer label used in the config UI",
+              "description": "Analyzer label used in the config UI.",
               "args": [
 
               ],
@@ -63922,7 +63922,7 @@
             },
             {
               "name": "name",
-              "description": "Name of the analyzer",
+              "description": "Name of the analyzer.",
               "args": [
 
               ],
@@ -63936,7 +63936,7 @@
             },
             {
               "name": "variables",
-              "description": "List of supported variables",
+              "description": "List of supported variables.",
               "args": [
                 {
                   "name": "after",
@@ -64115,7 +64115,7 @@
           "inputFields": [
             {
               "name": "name",
-              "description": "Name of analyzer",
+              "description": "Name of analyzer.",
               "type": {
                 "kind": "NON_NULL",
                 "name": null,
@@ -64129,7 +64129,7 @@
             },
             {
               "name": "enabled",
-              "description": "State of the analyzer",
+              "description": "State of the analyzer.",
               "type": {
                 "kind": "NON_NULL",
                 "name": null,
@@ -64143,7 +64143,7 @@
             },
             {
               "name": "variables",
-              "description": "List of variables for the analyzer",
+              "description": "List of variables for the analyzer.",
               "type": {
                 "kind": "LIST",
                 "name": null,
@@ -64448,7 +64448,7 @@
           "inputFields": [
             {
               "name": "field",
-              "description": "CI keyword of entity",
+              "description": "CI keyword of entity.",
               "type": {
                 "kind": "NON_NULL",
                 "name": null,
@@ -64462,7 +64462,7 @@
             },
             {
               "name": "defaultValue",
-              "description": "Default value that is used if value is empty",
+              "description": "Default value that is used if value is empty.",
               "type": {
                 "kind": "NON_NULL",
                 "name": null,
@@ -64476,7 +64476,7 @@
             },
             {
               "name": "value",
-              "description": "Current value of the entity",
+              "description": "Current value of the entity.",
               "type": {
                 "kind": "NON_NULL",
                 "name": null,
@@ -64501,7 +64501,7 @@
           "inputFields": [
             {
               "name": "global",
-              "description": "List of global entities related to SAST configuration",
+              "description": "List of global entities related to SAST configuration.",
               "type": {
                 "kind": "LIST",
                 "name": null,
@@ -64519,7 +64519,7 @@
             },
             {
               "name": "pipeline",
-              "description": "List of pipeline entities related to SAST configuration",
+              "description": "List of pipeline entities related to SAST configuration.",
               "type": {
                 "kind": "LIST",
                 "name": null,
@@ -64537,7 +64537,7 @@
             },
             {
               "name": "analyzers",
-              "description": "List of analyzers and related variables for the SAST configuration",
+              "description": "List of analyzers and related variables for the SAST configuration.",
               "type": {
                 "kind": "LIST",
                 "name": null,

doc/api/graphql/reference/index.md

@@ -3183,11 +3183,11 @@ Represents an analyzer entity in SAST CI configuration.
 
 | Field | Type | Description |
 | ----- | ---- | ----------- |
-| `description` | String | Analyzer description that is displayed on the form |
-| `enabled` | Boolean | Indicates whether an analyzer is enabled |
-| `label` | String | Analyzer label used in the config UI |
-| `name` | String | Name of the analyzer |
-| `variables` | SastCiConfigurationEntityConnection | List of supported variables |
+| `description` | String | Analyzer description that is displayed on the form. |
+| `enabled` | Boolean | Indicates whether an analyzer is enabled. |
+| `label` | String | Analyzer label used in the config UI. |
+| `name` | String | Name of the analyzer. |
+| `variables` | SastCiConfigurationEntityConnection | List of supported variables. |
 
 ### SastCiConfigurationEntity
 

ee/app/graphql/ee/types/project_type.rb

@@ -15,10 +15,6 @@ module EE
               null: true,
               description: 'The DAST scanner profiles associated with the project'
 
-        field :sast_ci_configuration, ::Types::CiConfiguration::Sast::Type, null: true,
-              calls_gitaly: true,
-              description: 'SAST CI configuration for the project'
-
         field :vulnerabilities,
               ::Types::VulnerabilityType.connection_type,
               null: true,
@@ -131,12 +127,6 @@ module EE
         Hash.new(0).merge(object.requirements.counts_by_state)
       end
 
-      def sast_ci_configuration
-        return unless Ability.allowed?(current_user, :download_code, object)
-
-        ::Security::CiConfiguration::SastParserService.new(object).configuration
-      end
-
       def security_dashboard_path
         Rails.application.routes.url_helpers.project_security_dashboard_index_path(object)
       end

ee/changelogs/unreleased/move_mutation_for_mr_merge.yml

+---
+title: Move all the changes related to Mutation.configureSast to CE
+merge_request: 51169
+author:
+type: changed

ee/spec/graphql/types/project_type_spec.rb

@@ -17,7 +17,7 @@ RSpec.describe GitlabSchema.types['Project'] do
 
   it 'includes the ee specific fields' do
     expected_fields = %w[
-      vulnerabilities sast_ci_configuration vulnerability_scanners requirement_states_count
+      vulnerabilities vulnerability_scanners requirement_states_count
       vulnerability_severities_count packages compliance_frameworks vulnerabilities_count_by_day
       security_dashboard_path iterations cluster_agents repository_size_excess actual_repository_size_limit
       code_coverage_summary
@@ -26,160 +26,6 @@ RSpec.describe GitlabSchema.types['Project'] do
     expect(described_class).to include_graphql_fields(*expected_fields)
   end
 
-  describe 'sast_ci_configuration' do
-    include_context 'read ci configuration for sast enabled project'
-
-    let(:query) do
-      %(
-        query {
-            project(fullPath: "#{project.full_path}") {
-                sastCiConfiguration {
-                  global {
-                    nodes {
-                      type
-                      options {
-                        nodes {
-                          label
-                          value
-                        }
-                      }
-                      field
-                      label
-                      defaultValue
-                      value
-                      size
-                    }
-                  }
-                  pipeline {
-                    nodes {
-                      type
-                      options {
-                        nodes {
-                          label
-                          value
-                        }
-                      }
-                      field
-                      label
-                      defaultValue
-                      value
-                      size
-                    }
-                  }
-                  analyzers {
-                    nodes {
-                      name
-                      label
-                      enabled
-                    }
-                  }
-                }
-              }
-        }
-      )
-    end
-
-    before do
-      allow(project.repository).to receive(:blob_data_at).and_return(gitlab_ci_yml_content)
-    end
-
-    subject { GitlabSchema.execute(query, context: { current_user: user }).as_json }
-
-    it "returns the project's sast configuration for global variables" do
-      secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration', 'global', 'nodes').first
-      expect(secure_analyzers_prefix['type']).to eq('string')
-      expect(secure_analyzers_prefix['field']).to eq('SECURE_ANALYZERS_PREFIX')
-      expect(secure_analyzers_prefix['label']).to eq('Image prefix')
-      expect(secure_analyzers_prefix['defaultValue']).to eq('registry.gitlab.com/gitlab-org/security-products/analyzers')
-      expect(secure_analyzers_prefix['value']).to eq('registry.gitlab.com/gitlab-org/security-products/analyzers')
-      expect(secure_analyzers_prefix['size']).to eq('LARGE')
-      expect(secure_analyzers_prefix['options']).to be_nil
-    end
-
-    it "returns the project's sast configuration for pipeline variables" do
-      pipeline_stage = subject.dig('data', 'project', 'sastCiConfiguration', 'pipeline', 'nodes').first
-      expect(pipeline_stage['type']).to eq('string')
-      expect(pipeline_stage['field']).to eq('stage')
-      expect(pipeline_stage['label']).to eq('Stage')
-      expect(pipeline_stage['defaultValue']).to eq('test')
-      expect(pipeline_stage['value']).to eq('test')
-      expect(pipeline_stage['size']).to eq('MEDIUM')
-    end
-
-    it "returns the project's sast configuration for analyzer variables" do
-      analyzer = subject.dig('data', 'project', 'sastCiConfiguration', 'analyzers', 'nodes').first
-      expect(analyzer['name']).to eq('brakeman')
-      expect(analyzer['label']).to eq('Brakeman')
-      expect(analyzer['enabled']).to eq(true)
-    end
-
-    context "with guest user" do
-      before do
-        project.add_guest(user)
-      end
-
-      context 'when project is private' do
-        let(:project) { create(:project, :private, :repository) }
-
-        it "returns no configuration" do
-          secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration')
-          expect(secure_analyzers_prefix).to be_nil
-        end
-      end
-
-      context 'when project is public' do
-        let(:project) { create(:project, :public, :repository) }
-
-        context 'when repository is accessible by everyone' do
-          it "returns the project's sast configuration for global variables" do
-            secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration', 'global', 'nodes').first
-
-            expect(secure_analyzers_prefix['type']).to eq('string')
-            expect(secure_analyzers_prefix['field']).to eq('SECURE_ANALYZERS_PREFIX')
-          end
-        end
-      end
-    end
-
-    context "with non-member user" do
-      before do
-        project.team.truncate
-      end
-
-      context 'when project is private' do
-        let(:project) { create(:project, :private, :repository) }
-
-        it "returns no configuration" do
-          secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration')
-          expect(secure_analyzers_prefix).to be_nil
-        end
-      end
-
-      context 'when project is public' do
-        let(:project) { create(:project, :public, :repository) }
-
-        context 'when repository is accessible by everyone' do
-          it "returns the project's sast configuration for global variables" do
-            secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration', 'global', 'nodes').first
-            expect(secure_analyzers_prefix['type']).to eq('string')
-            expect(secure_analyzers_prefix['field']).to eq('SECURE_ANALYZERS_PREFIX')
-          end
-        end
-
-        context 'when repository is accessible only by team members' do
-          it "returns no configuration" do
-            project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED,
-                                                   builds_access_level: ProjectFeature::DISABLED,
-                                                   repository_access_level: ProjectFeature::PRIVATE)
-
-            secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration')
-            expect(secure_analyzers_prefix).to be_nil
-          end
-        end
-      end
-    end
-  end
-
   describe 'security_scanners' do
     let_it_be(:project) { create(:project, :repository) }
     let_it_be(:pipeline) { create(:ci_pipeline, project: project, sha: project.commit.id, ref: project.default_branch) }

lib/gitlab/template/finders/global_template_finder.rb

@@ -5,9 +5,10 @@ module Gitlab
   module Template
     module Finders
       class GlobalTemplateFinder < BaseTemplateFinder
-        def initialize(base_dir, extension, categories = {}, excluded_patterns: [])
+        def initialize(base_dir, extension, categories = {}, include_categories_for_file = {}, excluded_patterns: [])
           @categories = categories
           @extension  = extension
+          @include_categories_for_file = include_categories_for_file
           @excluded_patterns = excluded_patterns
 
           super(base_dir)
@@ -47,7 +48,9 @@ module Gitlab
         end
 
         def select_directory(file_name)
-          @categories.keys.find do |category|
+          categories = @categories
+          categories.merge!(@include_categories_for_file[file_name]) if @include_categories_for_file[file_name].present?
+          categories.keys.find do |category|
             File.exist?(File.join(category_directory(category), file_name))
           end
         end

lib/gitlab/template/gitlab_ci_yml_template.rb

@@ -25,6 +25,12 @@ module Gitlab
           }
         end
 
+        def include_categories_for_file
+          {
+            "SAST#{self.extension}" => { 'Security' => 'Security' }
+          }
+        end
+
         def excluded_patterns
           strong_memoize(:excluded_patterns) do
             BASE_EXCLUDED_PATTERNS + additional_excluded_patterns
@@ -41,7 +47,11 @@ module Gitlab
 
         def finder(project = nil)
           Gitlab::Template::Finders::GlobalTemplateFinder.new(
-            self.base_dir, self.extension, self.categories, excluded_patterns: self.excluded_patterns
+            self.base_dir,
+            self.extension,
+            self.categories,
+            self.include_categories_for_file,
+            excluded_patterns: self.excluded_patterns
           )
         end
       end

ee/lib/security/ci_configuration/sast_build_actions.rb → lib/security/ci_configuration/sast_build_actions.rb

@@ -46,11 +46,7 @@ module Security
       end
 
       def collect_analyzer_values(config, key)
-        analyzer_variables = config['analyzers']
-          &.select {|a| a['enabled'] && a['variables'] }
-          &.flat_map {|a| a['variables'] }
-          &.collect {|v| [v['field'], v[key]] }.to_h
-
+        analyzer_variables = analyzer_variables_for(config, key)
         analyzer_variables['SAST_EXCLUDED_ANALYZERS'] = if key == 'value'
                                                           config['analyzers']
                                                           &.reject {|a| a['enabled'] }
@@ -64,6 +60,13 @@ module Security
         analyzer_variables
       end
 
+      def analyzer_variables_for(config, key)
+        config['analyzers']
+          &.select {|a| a['enabled'] && a['variables'] }
+          &.flat_map {|a| a['variables'] }
+          &.collect {|v| [v['field'], v[key]] }.to_h
+      end
+
       def update_existing_content!
         @existing_gitlab_ci_content['stages'] = set_stages
         @existing_gitlab_ci_content['variables'] = set_variables(global_variables, @existing_gitlab_ci_content)

ee/spec/graphql/types/ci_configuration/sast/analyzers_entity_input_type_spec.rb → spec/graphql/types/ci_configuration/sast/analyzers_entity_input_type_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe GitlabSchema.types['SastCiConfigurationAnalyzersEntityInput'] do
+RSpec.describe ::Types::CiConfiguration::Sast::AnalyzersEntityInputType do
   it { expect(described_class.graphql_name).to eq('SastCiConfigurationAnalyzersEntityInput') }
 
   it { expect(described_class.arguments.keys).to match_array(%w[enabled name variables]) }

ee/spec/graphql/types/ci_configuration/sast/entity_type_input_spec.rb → spec/graphql/types/ci_configuration/sast/entity_input_type_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe GitlabSchema.types['SastCiConfigurationEntityInput'] do
+RSpec.describe ::Types::CiConfiguration::Sast::EntityInputType do
   it { expect(described_class.graphql_name).to eq('SastCiConfigurationEntityInput') }
 
   it { expect(described_class.arguments.keys).to match_array(%w[field defaultValue value]) }

ee/spec/graphql/types/ci_configuration/sast/input_type_spec.rb → spec/graphql/types/ci_configuration/sast/input_type_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe GitlabSchema.types['SastCiConfigurationInput'] do
+RSpec.describe ::Types::CiConfiguration::Sast::InputType do
   it { expect(described_class.graphql_name).to eq('SastCiConfigurationInput') }
 
   it { expect(described_class.arguments.keys).to match_array(%w[global pipeline analyzers]) }

spec/graphql/types/project_type_spec.rb

@@ -31,12 +31,171 @@ RSpec.describe GitlabSchema.types['Project'] do
       container_expiration_policy service_desk_enabled service_desk_address
       issue_status_counts terraform_states alert_management_integrations
       container_repositories container_repositories_count
-      pipeline_analytics squash_read_only
+      pipeline_analytics squash_read_only sast_ci_configuration
     ]
 
     expect(described_class).to include_graphql_fields(*expected_fields)
   end
 
+  describe 'sast_ci_configuration' do
+    let_it_be(:project) { create(:project) }
+    let_it_be(:user) { create(:user) }
+
+    before do
+      stub_licensed_features(security_dashboard: true)
+      project.add_developer(user)
+      allow(project.repository).to receive(:blob_data_at).and_return(gitlab_ci_yml_content)
+    end
+
+    include_context 'read ci configuration for sast enabled project'
+
+    let(:query) do
+      %(
+        query {
+            project(fullPath: "#{project.full_path}") {
+                sastCiConfiguration {
+                  global {
+                    nodes {
+                      type
+                      options {
+                        nodes {
+                          label
+                          value
+                        }
+                      }
+                      field
+                      label
+                      defaultValue
+                      value
+                      size
+                    }
+                  }
+                  pipeline {
+                    nodes {
+                      type
+                      options {
+                        nodes {
+                          label
+                          value
+                        }
+                      }
+                      field
+                      label
+                      defaultValue
+                      value
+                      size
+                    }
+                  }
+                  analyzers {
+                    nodes {
+                      name
+                      label
+                      enabled
+                    }
+                  }
+                }
+              }
+        }
+      )
+    end
+
+    subject { GitlabSchema.execute(query, context: { current_user: user }).as_json }
+
+    it "returns the project's sast configuration for global variables" do
+      secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration', 'global', 'nodes').first
+      expect(secure_analyzers_prefix['type']).to eq('string')
+      expect(secure_analyzers_prefix['field']).to eq('SECURE_ANALYZERS_PREFIX')
+      expect(secure_analyzers_prefix['label']).to eq('Image prefix')
+      expect(secure_analyzers_prefix['defaultValue']).to eq('registry.gitlab.com/gitlab-org/security-products/analyzers')
+      expect(secure_analyzers_prefix['value']).to eq('registry.gitlab.com/gitlab-org/security-products/analyzers')
+      expect(secure_analyzers_prefix['size']).to eq('LARGE')
+      expect(secure_analyzers_prefix['options']).to be_nil
+    end
+
+    it "returns the project's sast configuration for pipeline variables" do
+      pipeline_stage = subject.dig('data', 'project', 'sastCiConfiguration', 'pipeline', 'nodes').first
+      expect(pipeline_stage['type']).to eq('string')
+      expect(pipeline_stage['field']).to eq('stage')
+      expect(pipeline_stage['label']).to eq('Stage')
+      expect(pipeline_stage['defaultValue']).to eq('test')
+      expect(pipeline_stage['value']).to eq('test')
+      expect(pipeline_stage['size']).to eq('MEDIUM')
+    end
+
+    it "returns the project's sast configuration for analyzer variables" do
+      analyzer = subject.dig('data', 'project', 'sastCiConfiguration', 'analyzers', 'nodes').first
+      expect(analyzer['name']).to eq('brakeman')
+      expect(analyzer['label']).to eq('Brakeman')
+      expect(analyzer['enabled']).to eq(true)
+    end
+
+    context "with guest user" do
+      before do
+        project.add_guest(user)
+      end
+
+      context 'when project is private' do
+        let(:project) { create(:project, :private, :repository) }
+
+        it "returns no configuration" do
+          secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration')
+          expect(secure_analyzers_prefix).to be_nil
+        end
+      end
+
+      context 'when project is public' do
+        let(:project) { create(:project, :public, :repository) }
+
+        context 'when repository is accessible by everyone' do
+          it "returns the project's sast configuration for global variables" do
+            secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration', 'global', 'nodes').first
+
+            expect(secure_analyzers_prefix['type']).to eq('string')
+            expect(secure_analyzers_prefix['field']).to eq('SECURE_ANALYZERS_PREFIX')
+          end
+        end
+      end
+    end
+
+    context "with non-member user" do
+      before do
+        project.team.truncate
+      end
+
+      context 'when project is private' do
+        let(:project) { create(:project, :private, :repository) }
+
+        it "returns no configuration" do
+          secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration')
+          expect(secure_analyzers_prefix).to be_nil
+        end
+      end
+
+      context 'when project is public' do
+        let(:project) { create(:project, :public, :repository) }
+
+        context 'when repository is accessible by everyone' do
+          it "returns the project's sast configuration for global variables" do
+            secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration', 'global', 'nodes').first
+            expect(secure_analyzers_prefix['type']).to eq('string')
+            expect(secure_analyzers_prefix['field']).to eq('SECURE_ANALYZERS_PREFIX')
+          end
+        end
+
+        context 'when repository is accessible only by team members' do
+          it "returns no configuration" do
+            project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED,
+                                                   builds_access_level: ProjectFeature::DISABLED,
+                                                   repository_access_level: ProjectFeature::PRIVATE)
+
+            secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration')
+            expect(secure_analyzers_prefix).to be_nil
+          end
+        end
+      end
+    end
+  end
+
   describe 'issue field' do
     subject { described_class.fields['issue'] }
 

spec/lib/gitlab/template/finders/global_template_finder_spec.rb

@@ -15,9 +15,19 @@ RSpec.describe Gitlab::Template::Finders::GlobalTemplateFinder do
     FileUtils.rm_rf(base_dir)
   end
 
-  subject(:finder) { described_class.new(base_dir, '', { 'General' => '', 'Bar' => 'Bar' }, excluded_patterns: excluded_patterns) }
+  subject(:finder) do
+    described_class.new(base_dir, '',
+                        { 'General' => '', 'Bar' => 'Bar' },
+                        include_categories_for_file,
+                        excluded_patterns: excluded_patterns)
+  end
 
   let(:excluded_patterns) { [] }
+  let(:include_categories_for_file) do
+    {
+      "SAST" => { "Security" => "Security" }
+    }
+  end
 
   describe '.find' do
     context 'with a non-prefixed General template' do
@@ -60,6 +70,7 @@ RSpec.describe Gitlab::Template::Finders::GlobalTemplateFinder do
     context 'with a prefixed template' do
       before do
         create_template!('Bar/test-template')
+        create_template!('Security/SAST')
       end
 
       it 'finds the template with a prefix' do
@@ -76,6 +87,16 @@ RSpec.describe Gitlab::Template::Finders::GlobalTemplateFinder do
         expect { finder.find('../foo') }.to raise_error(/Invalid path/)
       end
 
+      context 'with include_categories_for_file being present' do
+        it 'finds the template with a prefix' do
+          expect(finder.find('SAST')).to be_present
+        end
+
+        it 'does not find any template which is missing in include_categories_for_file' do
+          expect(finder.find('DAST')).to be_nil
+        end
+      end
+
       context 'while listed as an exclusion' do
         let(:excluded_patterns) { [%r{^Bar/test-template$}] }
 

ee/spec/lib/security/ci_configuration/sast_build_actions_spec.rb → spec/lib/security/ci_configuration/sast_build_actions_spec.rb

 # frozen_string_literal: true
 
-require 'fast_spec_helper'
+require 'spec_helper'
 
 RSpec.describe Security::CiConfiguration::SastBuildActions do
   let(:default_sast_values) do
@@ -308,7 +308,9 @@ RSpec.describe Security::CiConfiguration::SastBuildActions do
       subject(:result) { described_class.new(auto_devops_enabled, params, gitlab_ci_content).generate }
 
       before do
-        allow_any_instance_of(described_class).to receive(:auto_devops_stages).and_return(fast_auto_devops_stages)
+        allow_next_instance_of(described_class) do |sast_build_actions|
+          allow(sast_build_actions).to receive(:auto_devops_stages).and_return(fast_auto_devops_stages)
+        end
       end
 
       it 'generates the correct YML' do