Adding FIPS support to DAST API/API Fuzzing latest CI template

- New variable _VERSION_TAG added
- Automatically set _VERSION_TAG to "-fips" via rules

Changelog: added
EE: true

ee/spec/lib/gitlab/ci/templates/api_fuzzing_latest_gitlab_ci_yaml_spec.rb

@@ -135,6 +135,34 @@ RSpec.describe 'API-Fuzzing.latest.gitlab-ci.yml' do
             expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
           end
         end
+
+        context 'when CI_GITLAB_FIPS_MODE=false' do
+          let(:build_dast_api) { pipeline.builds.find_by(name: 'apifuzzer_fuzz') }
+          let(:build_variables) { build_dast_api.variables.pluck(:key, :value) }
+
+          before do
+            create(:ci_variable, project: project, key: 'CI_GITLAB_FIPS_MODE', value: 'false')
+            create(:ci_variable, project: project, key: 'FUZZAPI_HAR', value: 'testing.har')
+            create(:ci_variable, project: project, key: 'FUZZAPI_TARGET_URL', value: 'http://example.com')
+          end
+
+          it 'sets FUZZAPI_VERSION_TAG to ""' do
+            expect(build_variables).to be_include(['FUZZAPI_VERSION_TAG', ''])
+          end
+        end
+
+        context 'when CI_GITLAB_FIPS_MODE=true' do
+          let(:build_dast_api) { pipeline.builds.find_by(name: 'apifuzzer_fuzz') }
+          let(:build_variables) { build_dast_api.variables.pluck(:key, :value) }
+
+          before do
+            create(:ci_variable, project: project, key: 'CI_GITLAB_FIPS_MODE', value: 'true')
+          end
+
+          it 'sets FUZZAPI_VERSION_TAG to "-fips"' do
+            expect(build_variables).to be_include(['FUZZAPI_VERSION_TAG', '-fips'])
+          end
+        end
       end
     end
   end

ee/spec/lib/gitlab/ci/templates/dast_api_latest_gitlab_ci_yaml_spec.rb

@@ -98,6 +98,32 @@ RSpec.describe 'DAST-API.latest.gitlab-ci.yml' do
             expect { pipeline }.to raise_error(Ci::CreatePipelineService::CreateError)
           end
         end
+
+        context 'when CI_GITLAB_FIPS_MODE=false' do
+          let(:build_dast_api) { pipeline.builds.find_by(name: 'dast_api') }
+          let(:build_variables) { build_dast_api.variables.pluck(:key, :value) }
+
+          before do
+            create(:ci_variable, project: project, key: 'CI_GITLAB_FIPS_MODE', value: 'false')
+          end
+
+          it 'sets DAST_API_VERSION_TAG to ""' do
+            expect(build_variables).to be_include(['DAST_API_VERSION_TAG', ''])
+          end
+        end
+
+        context 'when CI_GITLAB_FIPS_MODE=true' do
+          let(:build_dast_api) { pipeline.builds.find_by(name: 'dast_api') }
+          let(:build_variables) { build_dast_api.variables.pluck(:key, :value) }
+
+          before do
+            create(:ci_variable, project: project, key: 'CI_GITLAB_FIPS_MODE', value: 'true')
+          end
+
+          it 'sets DAST_API_VERSION_TAG to "-fips"' do
+            expect(build_variables).to be_include(['DAST_API_VERSION_TAG', '-fips'])
+          end
+        end
       end
     end
   end

lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml

@@ -3,19 +3,36 @@
 # This specific template is located at:
 # https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/API-Fuzzing.latest.gitlab-ci.yml
 
+# To use this template, add the following to your .gitlab-ci.yml file:
+#
+# include:
+#   template: API-Fuzzing.latest.gitlab-ci.yml
+#
+# You also need to add a `fuzz` stage to your `stages:` configuration. A sample configuration for API Fuzzing:
+#
+# stages:
+#   - build
+#   - test
+#   - deploy
+#   - fuzz
+
 # Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/api_fuzzing/
 #
-# Configure API fuzzing with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
+# Configure API Fuzzing with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
 # List of available variables: https://docs.gitlab.com/ee/user/application_security/api_fuzzing/#available-cicd-variables
 
 variables:
-    FUZZAPI_VERSION: "1"
+    # Setting this variable affects all Security templates
+    # (SAST, Dependency Scanning, ...)
     SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
+    #
+    FUZZAPI_VERSION: "1"
+    FUZZAPI_VERSION_TAG: ""
     FUZZAPI_IMAGE: api-fuzzing
 
 apifuzzer_fuzz:
     stage: fuzz
-    image: $SECURE_ANALYZERS_PREFIX/$FUZZAPI_IMAGE:$FUZZAPI_VERSION
+    image: $SECURE_ANALYZERS_PREFIX/$FUZZAPI_IMAGE:$FUZZAPI_VERSION$FUZZAPI_VERSION_TAG
     allow_failure: true
     rules:
         - if: $API_FUZZING_DISABLED
@@ -23,6 +40,10 @@ apifuzzer_fuzz:
         - if: $API_FUZZING_DISABLED_FOR_DEFAULT_BRANCH &&
                 $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
           when: never
+        - if: $CI_COMMIT_BRANCH &&
+              $CI_GITLAB_FIPS_MODE == "true"
+          variables:
+              FUZZAPI_VERSION_TAG: "-fips"
         - if: $CI_COMMIT_BRANCH
     script:
         - /peach/analyzer-fuzz-api

lib/gitlab/ci/templates/Security/DAST-API.latest.gitlab-ci.yml

@@ -27,11 +27,12 @@ variables:
   SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/security-products"
   #
   DAST_API_VERSION: "1"
+  DAST_API_VERSION_TAG: ""
   DAST_API_IMAGE: api-fuzzing
 
 dast_api:
   stage: dast
-  image: $SECURE_ANALYZERS_PREFIX/$DAST_API_IMAGE:$DAST_API_VERSION
+  image: $SECURE_ANALYZERS_PREFIX/$DAST_API_IMAGE:$DAST_API_VERSION$DAST_API_VERSION_TAG
   allow_failure: true
   rules:
     - if: $DAST_API_DISABLED
@@ -39,6 +40,10 @@ dast_api:
     - if: $DAST_API_DISABLED_FOR_DEFAULT_BRANCH &&
           $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
       when: never
+    - if: $CI_COMMIT_BRANCH &&
+          $CI_GITLAB_FIPS_MODE == "true"
+      variables:
+        DAST_API_VERSION_TAG: "-fips"
     - if: $CI_COMMIT_BRANCH
   script:
     - /peach/analyzer-dast-api
@@ -50,3 +55,5 @@ dast_api:
       - gl-*.log
     reports:
       dast: gl-dast-api-report.json
+
+# end