Move security products end-to-end tests as part of Gitlab QA
This was recently discussed between the security products team and the Quality team.
Meeting agenda: https://docs.google.com/document/d/1xNA71o1H4G18njonOywQFFWDu05MCr0fAEs0v3la2q0/edit#
- The Security Products team have their own QA steps and pipeline: https://gitlab.com/gitlab-org/security-products/release/blob/master/docs/qa_process.md
- In the security product release process, a release manager triggers the QA trigger script that will automatically trigger a pipeline on each test project.
- There are ongoing efforts to automate this further, but we should investigate combining efforts with
gitlab-qainstead of duplicating things.- Actual tests for Gitlab are in the CE repo, under qa/qa/specs
- Security Products team is using Docker in Docker, the setup time will be affected.
Security Products projects
- SAST: https://docs.gitlab.com/ee/user/project/merge_requests/sast.html
- Test projects: https://gitlab.com/gitlab-org/security-products/tests/sast
- DAST: ZAProxy (https://docs.gitlab.com/ee/user/project/merge_requests/dast.html)
- Dependency Scanning: https://docs.gitlab.com/ee/user/project/merge_requests/dependency_scanning.html
- Code Quality: Code Climate
- Security Products tests projects: https://gitlab.com/gitlab-org/security-products/tests
GitLab QA scripts are meant to run on gitlab.com The Security Products QA script will have to be ported to integrate into the current release process of GitLab.
Steps forward
- Look into what is possible in gitlab-qa runner.
- Slowly move security products tests into the gitlab-qa pipeline.
- Ideally we would want an optional step that the security products team can run.
Phase 1
- Add QA jobs to these test projects before moving them to GitLab QA. But this is still WIP.
- There's no need to duplicate the test projects to integrate them in GitLab QA. No need to wait, we should integrate what we've got ASAP.
/cc @gonzoyumo @plafoucriere @fcatteau @rymai @grzesiek @ddavison
Edited by Mek Stittri