Add IaC scanning to Security Configuration page

This adds the IaC Scanning configuration card to the Security
Configuration page.
parent f6ddd1b3
......@@ -3,6 +3,7 @@ import { __, s__ } from '~/locale';
import {
REPORT_TYPE_SAST,
REPORT_TYPE_SAST_IAC,
REPORT_TYPE_DAST,
REPORT_TYPE_DAST_PROFILES,
REPORT_TYPE_SECRET_DETECTION,
......@@ -30,6 +31,16 @@ export const SAST_CONFIG_HELP_PATH = helpPagePath('user/application_security/sas
anchor: 'configuration',
});
export const SAST_IAC_NAME = __('Infrastructure as Code (IaC) Scanning');
export const SAST_IAC_SHORT_NAME = s__('ciReport|IaC Scanning');
export const SAST_IAC_DESCRIPTION = __(
'Analyze your infrastructure as code configuration files for known vulnerabilities.',
);
export const SAST_IAC_HELP_PATH = helpPagePath('user/application_security/sast/index');
export const SAST_IAC_CONFIG_HELP_PATH = helpPagePath('user/application_security/sast/index', {
anchor: 'configuration',
});
export const DAST_NAME = __('Dynamic Application Security Testing (DAST)');
export const DAST_SHORT_NAME = s__('ciReport|DAST');
export const DAST_DESCRIPTION = __('Analyze a review version of your web application.');
......@@ -141,6 +152,22 @@ export const securityFeatures = [
// https://gitlab.com/gitlab-org/gitlab/-/issues/331621
canEnableByMergeRequest: true,
},
...(gon?.features?.configureIacScanningViaMr
? [
{
name: SAST_IAC_NAME,
shortName: SAST_IAC_SHORT_NAME,
description: SAST_IAC_DESCRIPTION,
helpPath: SAST_IAC_HELP_PATH,
configurationHelpPath: SAST_IAC_CONFIG_HELP_PATH,
type: REPORT_TYPE_SAST_IAC,
// This field will eventually come from the backend, the progress is
// tracked in https://gitlab.com/gitlab-org/gitlab/-/issues/331621
canEnableByMergeRequest: true,
},
]
: []),
{
name: DAST_NAME,
shortName: DAST_SHORT_NAME,
......
......@@ -17,6 +17,7 @@ export const REPORT_FILE_TYPES = {
* Security scan report types, as provided by the backend.
*/
export const REPORT_TYPE_SAST = 'sast';
export const REPORT_TYPE_SAST_IAC = 'sast_iac';
export const REPORT_TYPE_DAST = 'dast';
export const REPORT_TYPE_DAST_PROFILES = 'dast_profiles';
export const REPORT_TYPE_SECRET_DETECTION = 'secret_detection';
......
......@@ -13,7 +13,7 @@
module Security
class SecurityJobsFinder < JobsFinder
def self.allowed_job_types
[:sast, :dast, :dependency_scanning, :container_scanning, :secret_detection, :coverage_fuzzing, :api_fuzzing, :cluster_image_scanning]
[:sast, :sast_iac, :dast, :dependency_scanning, :container_scanning, :secret_detection, :coverage_fuzzing, :api_fuzzing, :cluster_image_scanning]
end
end
end
---
name: configure_iac_scanning_via_mr
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73155
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/343966
milestone: '14.5'
type: development
group: group::static analysis
default_enabled: false
---
filenames:
- ee/app/assets/javascripts/oncall_schedules/graphql/mutations/update_oncall_schedule_rotation.mutation.graphql
- ee/app/assets/javascripts/security_configuration/api_fuzzing/graphql/api_fuzzing_ci_configuration.query.graphql
- ee/app/assets/javascripts/security_configuration/api_fuzzing/graphql/create_api_fuzzing_configuration.mutation.graphql
- ee/app/assets/javascripts/security_configuration/graphql/configure_iac.mutation.graphql
......@@ -16752,6 +16752,7 @@ Size of UI component in SAST configuration page.
| <a id="securityreporttypeenumdast"></a>`DAST` | DAST scan report. |
| <a id="securityreporttypeenumdependency_scanning"></a>`DEPENDENCY_SCANNING` | DEPENDENCY SCANNING scan report. |
| <a id="securityreporttypeenumsast"></a>`SAST` | SAST scan report. |
| <a id="securityreporttypeenumsast_iac"></a>`SAST_IAC` | SAST IAC scan report. |
| <a id="securityreporttypeenumsecret_detection"></a>`SECRET_DETECTION` | SECRET DETECTION scan report. |
### `SecurityScannerType`
......@@ -16767,6 +16768,7 @@ The type of the security scanner.
| <a id="securityscannertypedast"></a>`DAST` | DAST scanner. |
| <a id="securityscannertypedependency_scanning"></a>`DEPENDENCY_SCANNING` | Dependency Scanning scanner. |
| <a id="securityscannertypesast"></a>`SAST` | SAST scanner. |
| <a id="securityscannertypesast_iac"></a>`SAST_IAC` | Sast Iac scanner. |
| <a id="securityscannertypesecret_detection"></a>`SECRET_DETECTION` | Secret Detection scanner. |
### `SentryErrorStatus`
......
import { s__ } from '~/locale';
import { featureToMutationMap as featureToMutationMapCE } from '~/security_configuration/components/constants';
import { REPORT_TYPE_DEPENDENCY_SCANNING } from '~/vue_shared/security_reports/constants';
import {
REPORT_TYPE_SAST_IAC,
REPORT_TYPE_DEPENDENCY_SCANNING,
} from '~/vue_shared/security_reports/constants';
import configureSastIacMutation from '../graphql/configure_iac.mutation.graphql';
import configureDependencyScanningMutation from '../graphql/configure_dependency_scanning.mutation.graphql';
export const SMALL = 'SMALL';
......@@ -21,6 +25,21 @@ export const CUSTOM_VALUE_MESSAGE = s__(
export const featureToMutationMap = {
...featureToMutationMapCE,
...(gon?.features?.configureIacScanningViaMr
? {
[REPORT_TYPE_SAST_IAC]: {
mutationId: 'configureSastIac',
getMutationPayload: (projectPath) => ({
mutation: configureSastIacMutation,
variables: {
input: {
projectPath,
},
},
}),
},
}
: {}),
[REPORT_TYPE_DEPENDENCY_SCANNING]: {
mutationId: 'configureDependencyScanning',
getMutationPayload: (projectPath) => ({
......
mutation configureSastIac($input: ConfigureSastIacInput!) {
configureSastIac(input: $input) {
successPath
errors
}
}
......@@ -184,6 +184,7 @@ class License < ApplicationRecord
report_approver_rules
requirements
sast
sast_iac
sast_custom_rulesets
sast_fp_reduction
secret_detection
......
......@@ -15,6 +15,8 @@ module EE
gon.subscriptions_url = ::Gitlab::SubscriptionPortal::SUBSCRIPTIONS_URL
gon.payment_form_url = ::Gitlab::SubscriptionPortal::PAYMENT_FORM_URL
end
push_frontend_feature_flag(:configure_iac_scanning_via_mr, current_user, default_enabled: :yaml)
end
# Exposes if a licensed feature is available.
......
......@@ -62,7 +62,7 @@ RSpec.describe Projects::Security::ConfigurationController do
it 'responds in json format when requested' do
get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }
types = %w(sast dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing corpus_management)
types = %w(sast sast_iac dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing corpus_management)
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['features'].map { |f| f['type'] }).to match_array(types)
......
......@@ -84,7 +84,7 @@ RSpec.describe 'User sees Security Configuration table', :js do
end
def within_dast_card
within '[data-testid="security-testing-card"]:nth-of-type(2)' do
within '[data-testid="security-testing-card"]:nth-of-type(3)' do
yield
end
end
......
......@@ -4,6 +4,6 @@ require 'spec_helper'
RSpec.describe GitlabSchema.types['SecurityScannerType'] do
it 'exposes all security scanner types' do
expect(described_class.values.keys).to match_array(%w[API_FUZZING CLUSTER_IMAGE_SCANNING CONTAINER_SCANNING COVERAGE_FUZZING DAST DEPENDENCY_SCANNING SAST SECRET_DETECTION])
expect(described_class.values.keys).to match_array(%w[API_FUZZING CLUSTER_IMAGE_SCANNING CONTAINER_SCANNING COVERAGE_FUZZING DAST DEPENDENCY_SCANNING SAST SAST_IAC SECRET_DETECTION])
end
end
......@@ -83,6 +83,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
security_scan(:dast, configured: true),
security_scan(:sast, configured: true),
security_scan(:sast_iac, configured: false),
security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false),
......@@ -113,6 +114,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
security_scan(:dast, configured: false),
security_scan(:sast, configured: false),
security_scan(:sast_iac, configured: false),
security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false),
......@@ -143,6 +145,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
security_scan(:dast, configured: false),
security_scan(:sast, configured: false),
security_scan(:sast_iac, configured: false),
security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false),
......@@ -169,6 +172,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
security_scan(:dast, configured: false),
security_scan(:sast, configured: false),
security_scan(:sast_iac, configured: false),
security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false),
......@@ -203,6 +207,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
security_scan(:dast, configured: true),
security_scan(:dast_profiles, configured: true),
security_scan(:sast, configured: true),
security_scan(:sast_iac, configured: false),
security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false),
......@@ -228,6 +233,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
security_scan(:dast, configured: false),
security_scan(:dast_profiles, configured: true),
security_scan(:sast, configured: true),
security_scan(:sast_iac, configured: false),
security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false),
......@@ -246,6 +252,7 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
security_scan(:dast, configured: true),
security_scan(:dast_profiles, configured: true),
security_scan(:sast, configured: true),
security_scan(:sast_iac, configured: false),
security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false),
......
......@@ -3927,6 +3927,9 @@ msgstr ""
msgid "Analyze your dependencies for known vulnerabilities."
msgstr ""
msgid "Analyze your infrastructure as code configuration files for known vulnerabilities."
msgstr ""
msgid "Analyze your source code and git history for secrets."
msgstr ""
......@@ -18288,6 +18291,9 @@ msgstr ""
msgid "Infrastructure Registry"
msgstr ""
msgid "Infrastructure as Code (IaC) Scanning"
msgstr ""
msgid "InfrastructureRegistry|Copy Terraform Command"
msgstr ""
......@@ -40385,6 +40391,9 @@ msgstr ""
msgid "ciReport|Found %{issuesWithCount}"
msgstr ""
msgid "ciReport|IaC Scanning"
msgstr ""
msgid "ciReport|Investigate this vulnerability by creating an issue"
msgstr ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment