Commit eee65ff6 authored by Alan (Maciej) Paruszewski's avatar Alan (Maciej) Paruszewski Committed by Igor Drozdov

Add support for setting CI variables in Security Policies

parent 3bb0b5ab
...@@ -17,7 +17,7 @@ module Security ...@@ -17,7 +17,7 @@ module Security
when 'container_scanning', 'cluster_image_scanning' when 'container_scanning', 'cluster_image_scanning'
scan_configuration(action[:scan], ci_variables) scan_configuration(action[:scan], ci_variables)
when 'sast' when 'sast'
child_pipeline_configuration(action[:scan]) child_pipeline_configuration(action[:scan], ci_variables)
else else
error_script('Invalid Scan type') error_script('Invalid Scan type')
end end
...@@ -47,8 +47,9 @@ module Security ...@@ -47,8 +47,9 @@ module Security
.except(:rules) .except(:rules)
end end
def child_pipeline_configuration(template) def child_pipeline_configuration(template, ci_variables)
{ {
variables: ci_variables.compact,
inherit: { inherit: {
variables: false variables: false
}, },
......
...@@ -10,6 +10,9 @@ module Security ...@@ -10,6 +10,9 @@ module Security
}, },
'container_scanning' => { 'container_scanning' => {
'CONTAINER_SCANNING_DISABLED' => nil 'CONTAINER_SCANNING_DISABLED' => nil
},
'sast' => {
'SAST_DISABLED' => nil
} }
}.freeze }.freeze
...@@ -29,8 +32,9 @@ module Security ...@@ -29,8 +32,9 @@ module Security
private private
def ci_configuration def ci_configuration
action_variables = action[:variables].to_h.stringify_keys
ci_variables, ci_hidden_variables = scan_variables ci_variables, ci_hidden_variables = scan_variables
ci_content = ::Security::SecurityOrchestrationPolicies::CiConfigurationService.new.execute(action, ci_variables) ci_content = ::Security::SecurityOrchestrationPolicies::CiConfigurationService.new.execute(action, action_variables.merge(ci_variables))
[{ "#{scan_type}" => ci_content }, ci_hidden_variables] [{ "#{scan_type}" => ci_content }, ci_hidden_variables]
end end
......
...@@ -10,6 +10,9 @@ module Security ...@@ -10,6 +10,9 @@ module Security
}, },
container_scanning: { container_scanning: {
'CONTAINER_SCANNING_DISABLED' => nil 'CONTAINER_SCANNING_DISABLED' => nil
},
sast: {
'SAST_DISABLED' => nil
} }
}.freeze }.freeze
...@@ -32,7 +35,11 @@ module Security ...@@ -32,7 +35,11 @@ module Security
end end
def scan_configuration(action) def scan_configuration(action)
::Security::SecurityOrchestrationPolicies::CiConfigurationService.new.execute(action, scan_variables(action)) action_variables = action[:variables].to_h.stringify_keys
::Security::SecurityOrchestrationPolicies::CiConfigurationService
.new
.execute(action, action_variables.merge(scan_variables(action)))
end end
def scan_variables(action) def scan_variables(action)
......
...@@ -132,6 +132,14 @@ ...@@ -132,6 +132,14 @@
"string", "string",
"null" "null"
] ]
},
"variables": {
"type": "object",
"patternProperties": {
"\\A[a-zA-Z_][a-zA-Z0-9_]*\\z": {
"type": "string"
}
}
} }
}, },
"allOf": [ "allOf": [
...@@ -147,7 +155,7 @@ ...@@ -147,7 +155,7 @@
"required": [ "required": [
"site_profile" "site_profile"
], ],
"maxProperties": 3 "maxProperties": 4
} }
}, },
{ {
...@@ -159,7 +167,7 @@ ...@@ -159,7 +167,7 @@
} }
}, },
"then": { "then": {
"maxProperties": 1 "maxProperties": 2
} }
}, },
{ {
...@@ -171,7 +179,7 @@ ...@@ -171,7 +179,7 @@
} }
}, },
"then": { "then": {
"maxProperties": 1 "maxProperties": 2
} }
}, },
{ {
...@@ -183,7 +191,7 @@ ...@@ -183,7 +191,7 @@
} }
}, },
"then": { "then": {
"maxProperties": 1 "maxProperties": 2
} }
}, },
{ {
...@@ -195,7 +203,7 @@ ...@@ -195,7 +203,7 @@
} }
}, },
"then": { "then": {
"maxProperties": 1 "maxProperties": 2
} }
} }
], ],
......
...@@ -118,15 +118,16 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d ...@@ -118,15 +118,16 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CiConfigurationService d
context 'when scan type is sast' do context 'when scan type is sast' do
let_it_be(:action) { { scan: 'sast' } } let_it_be(:action) { { scan: 'sast' } }
let_it_be(:ci_variables) { {} } let_it_be(:ci_variables) { { 'SAST_EXCLUDED_ANALYZERS' => 'semgrep', 'SAST_DISABLED' => nil } }
it 'returns prepared CI configuration for SAST' do it 'returns prepared CI configuration for SAST' do
expected_configuration = { expected_configuration = {
inherit: { variables: false }, inherit: { variables: false },
variables: { 'SAST_EXCLUDED_ANALYZERS' => 'semgrep' },
trigger: { include: [{ template: 'Security/SAST.gitlab-ci.yml' }] } trigger: { include: [{ template: 'Security/SAST.gitlab-ci.yml' }] }
} }
expect(subject.deep_symbolize_keys).to eq(expected_configuration) expect(subject).to eq(expected_configuration)
end end
end end
end end
......
...@@ -134,6 +134,18 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CreatePipelineService do ...@@ -134,6 +134,18 @@ RSpec.describe Security::SecurityOrchestrationPolicies::CreatePipelineService do
expect(build.name).to eq('sast') expect(build.name).to eq('sast')
end end
context 'when action contains variables' do
let(:action) { { scan: 'sast', variables: { SAST_EXCLUDED_ANALYZERS: 'semgrep' } } }
it 'parses variables from the action and applies them in configuration service' do
expect_next_instance_of(::Security::SecurityOrchestrationPolicies::CiConfigurationService) do |ci_configuration_service|
expect(ci_configuration_service).to receive(:execute).once.with(action, 'SAST_DISABLED' => nil, 'SAST_EXCLUDED_ANALYZERS' => 'semgrep').and_call_original
end
subject
end
end
end end
end end
end end
......
...@@ -32,6 +32,18 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ScanPipelineService do ...@@ -32,6 +32,18 @@ RSpec.describe Security::SecurityOrchestrationPolicies::ScanPipelineService do
it_behaves_like 'creates scan jobs', 1, [:'secret-detection-0'] it_behaves_like 'creates scan jobs', 1, [:'secret-detection-0']
end end
context 'when action contains variables' do
let(:actions) { [{ scan: 'sast', variables: { SAST_EXCLUDED_ANALYZERS: 'semgrep' } }] }
it 'parses variables from the action and applies them in configuration service' do
expect_next_instance_of(::Security::SecurityOrchestrationPolicies::CiConfigurationService) do |ci_configuration_service|
expect(ci_configuration_service).to receive(:execute).once.with(actions.first, 'SAST_DISABLED' => nil, 'SAST_EXCLUDED_ANALYZERS' => 'semgrep').and_call_original
end
subject
end
end
context 'when there are multiple actions' do context 'when there are multiple actions' do
let(:actions) do let(:actions) do
[ [
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment