Verify Secure Reports comply with the Secure Report Format
Problem to solve
At the time of writing, the Secure Report Format schemas releases are considered Release Candidate
, and not for general availability. Before they can be considered to be mature enough for general availability, it should first be established that Secure products themselves conform to the schema.
This issue in part resolves #215595.
Proposal
SAST, Container Scanning and Dependency Scanning use the scripts/jobs defined in ci-templates for their QA process. For each of these products, a new CI job should be added that does the following:
- Specify a pinned version of the Secure Report Format schemas
- Download the schema file for the appropriate product and pinned version
- Using a JSON schema validator, verify that the QA expectation complies to the downloaded schema
- When the schema does not comply, the pipeline should fail
Once these jobs have been created, all pipelines that depend on them should be triggered to discover which analyzers produce reports that do not comply with the Secure Report Format.
Further details
Permissions and Security
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
Edited by Cameron Swords